analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b

Full analysis: https://app.any.run/tasks/b1d36502-56db-4cab-a121-81221d6ca408
Verdict: Malicious activity
Analysis date: February 19, 2019, 06:59:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

9FFF0FCA5C7D0C5D2808DCC47B025AD6

SHA1:

76F9A4D6929734543A9B82DCE7CB140ADAEA8458

SHA256:

AD825E0EFB44C8F8635DF8709695389FB939E31AA238F26E0C2D2C1E0A8E551B

SSDEEP:

24576:yNm62jnSuNCwhqs+bWYB5snJUaGgsggo6QA7vW6HLc2Q9Yvbh0nmE6WSDNKVbHqz:k27SuUwCBtaxsgWHvnL9Dha2WSpKVuz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • UAC/LUA settings modification

      • ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe (PID: 3512)
    • Changes settings of System certificates

      • ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe (PID: 3512)
    • Loads dropped or rewritten executable

      • ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe (PID: 3512)
    • Writes to a start menu file

      • ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe (PID: 3512)
  • SUSPICIOUS

    • Creates files in the program directory

      • ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe (PID: 3512)
    • Executable content was dropped or overwritten

      • ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe (PID: 3512)
    • Creates files in the user directory

      • ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe (PID: 3512)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:50:52+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 24064
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x30fa
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2009 22:50:52
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2009 22:50:52
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005C4C
0x00005E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44011
.rdata
0x00007000
0x0000129C
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04684
.data
0x00009000
0x00025C58
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.801
.ndata
0x0002F000
0x00009000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00038000
0x00003EF8
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.91714

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.10394
533
UNKNOWN
English - United States
RT_MANIFEST
2
5.9993
3752
UNKNOWN
English - United States
RT_ICON
3
6.24459
2216
UNKNOWN
English - United States
RT_ICON
4
5.01502
1384
UNKNOWN
English - United States
RT_ICON
5
6.16057
1128
UNKNOWN
English - United States
RT_ICON
6
3.34146
744
UNKNOWN
English - United States
RT_ICON
7
3.04232
296
UNKNOWN
English - United States
RT_ICON
103
2.6691
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe no specs ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe

Process information

PID
CMD
Path
Indicators
Parent process
3060"C:\Users\admin\AppData\Local\Temp\ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe" C:\Users\admin\AppData\Local\Temp\ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3512"C:\Users\admin\AppData\Local\Temp\ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe" C:\Users\admin\AppData\Local\Temp\ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Total events
364
Read events
351
Write events
13
Delete events
0

Modification events

(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\runas
Operation:writeName:
Value:
Take Ownership
(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\runas
Operation:writeName:NoWorkingDirectory
Value:
(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\runas\command
Operation:writeName:
Value:
cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F
(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shell\runas\command
Operation:writeName:IsolatedCommand
Value:
cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F
(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\runas
Operation:writeName:
Value:
Take Ownership
(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\runas
Operation:writeName:NoWorkingDirectory
Value:
(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\runas\command
Operation:writeName:
Value:
cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t
(PID) Process:(3512) ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\runas\command
Operation:writeName:IsolatedCommand
Value:
cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t
Executable files
4
Suspicious files
0
Text files
13
Unknown types
11

Dropped files

PID
Process
Filename
Type
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Program Files\CloudPOS\background.pngimage
MD5:3E4DC726FE565447D9EE7C4D7A78D94B
SHA256:A820F08080029ACCFBE2CD7FCB27271AC5ACEA7A786DC5C9D0C0176677A04904
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Program Files\CloudPOS\WinTool.dllexecutable
MD5:3CA4ED0B97F3E46286458AB48717947B
SHA256:644B1E975D460E1A8FF1A6DC19E6AE71370FBD4C9F6855E52D200F786E474225
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Program Files\CloudPOS\logo_main.pngimage
MD5:9386408BEB7D406EC806297C209C2C8C
SHA256:2CA3C59370B1498124B19C1CCED94032F41DFC80D1878E7C1BAEDA17EC7D8F6E
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Users\Administrator\Desktop\VeronaPOS.lnklnk
MD5:CC1CC84CED6758324E256A3D08A4FA76
SHA256:C1D3C6BE6BDA8C019BDF8899F3FE98DC66E8C8EF6DAF7B352547BDC2D093B9D7
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Program Files\CloudPOS\splash.pngimage
MD5:876C5DFEA7483CAD6A0684AA475E08FC
SHA256:AD89D02211671FF558D7C9C4E1D077147F01049CEEBB6F61402AA4B5C763195B
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Program Files\CloudPOS\AutoUpdate.exeexecutable
MD5:E2A6A4CEE02053DCB7EDC1FAD66CD05A
SHA256:F5DEBC44C301DCD0D66D6D58BCB6230169EDA31FA7381502976D0D8AC5D5BC41
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Program Files\CloudPOS\ConfigurationManager.dllexecutable
MD5:FEB301AE52AC096B72B7A5BB4E0A0F5E
SHA256:5F9619FDCBCE57B3FCB4F087775A751BB129664FA3E557C90B308F077BDED99C
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Program Files\CloudPOS\comodorsaaddtrustca.crttext
MD5:C6417027053396EAA5A7235C8D2315B7
SHA256:E9EC38F5D60D03F1DE84B500CA1EB8B0E41F61B4FE41B2E76C884A35222A998C
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Program Files\CloudPOS\CONFIGURATIONtext
MD5:D9C43ACB9D537C28439774A0DCA14070
SHA256:AA5420801AA69E4026DAF4358B2895AA42A42ECBA443ADBEBC9E51D54F9E0D86
3512ad825e0efb44c8f8635df8709695389fb939e31aa238f26e0c2d2c1e0a8e551b.exeC:\Users\admin\Desktop\VeronaPOS.lnklnk
MD5:CC1CC84CED6758324E256A3D08A4FA76
SHA256:C1D3C6BE6BDA8C019BDF8899F3FE98DC66E8C8EF6DAF7B352547BDC2D093B9D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info