analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Sayo_CLI_Windows.exe

Full analysis: https://app.any.run/tasks/57e31639-2512-4713-b62b-8506961662a0
Verdict: Malicious activity
Analysis date: December 30, 2022, 18:55:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

178C20C1250E0D1AC0E71517CAAB1CCC

SHA1:

7110D4FEFBECE0A951FDF33A13886D711A7EF875

SHA256:

AE0535CC607B7553CBEBD3C475C57D334678DDFD02201DFBE266E799CC91DB8A

SSDEEP:

6144:kDF4y1Mk171PVwgWe8vDViyk+NKg8ypq:C1McwpemiyvQWp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • Sayo_CLI_Windows.exe (PID: 1744)

    • Detected use of alternative data streams (AltDS)

      • Sayo_CLI_Windows.exe (PID: 1744)

  • INFO

    • Checks supported languages

      • Sayo_CLI_Windows.exe (PID: 1744)

    • The process checks LSA protection

      • iexplore.exe (PID: 3012)
      • iexplore.exe (PID: 3572)

    • Reads the computer name

      • Sayo_CLI_Windows.exe (PID: 1744)

    • Application launched itself

      • iexplore.exe (PID: 3012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 2022-Sep-28 12:47:05
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • W:\Sayo_control_CLI\Release\Sayo_CLI_Windows.pdb
CompanyName: 山东小夜电子科技有限公司
FileDescription: SayoDevice键盘设定程序
FileVersion: 1.0.0.1
InternalName: Sayo_CLI_Windows.exe
LegalCopyright: Copyright (C) 2022
OriginalFilename: Sayo_CLI_Windows.exe
ProductName: SayoDevice
ProductVersion: 1.0.0.1

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 264

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2022-Sep-28 12:47:05
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
164737
164864
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.42614
.rdata
172032
40468
40960
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.78377
.data
212992
3709016
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.0962
.rsrc
3923968
1296
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.85838
.reloc
3928064
12760
12800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.71028

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.64698
748
UNKNOWN
Chinese - PRC
RT_VERSION
1 (#2)
4.91161
381
UNKNOWN
English - United States
RT_MANIFEST

Imports

KERNEL32.dll
MSVCP140.dll
SETUPAPI.dll
SHELL32.dll
USER32.dll
VCRUNTIME140.dll
WS2_32.dll
api-ms-win-crt-convert-l1-1-0.dll
api-ms-win-crt-filesystem-l1-1-0.dll
api-ms-win-crt-heap-l1-1-0.dll

Exports

Title
Ordinal
Address
hid_close
1
68832
hid_enumerate
2
66096
hid_error
3
69168
hid_exit
4
66048
hid_free_enumeration
5
67152
hid_get_feature_report
6
68576
hid_get_indexed_string
7
69104
hid_get_input_report
8
68704
hid_get_manufacturer_string
9
68912
hid_get_product_string
10
68976
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sayo_cli_windows.exe no specs iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1744"C:\Users\admin\AppData\Local\Temp\Sayo_CLI_Windows.exe" C:\Users\admin\AppData\Local\Temp\Sayo_CLI_Windows.exeExplorer.EXE
User:
admin
Company:
山东小夜电子科技有限公司
Integrity Level:
MEDIUM
Description:
SayoDevice键盘设定程序
Exit code:
3221225786
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\sayo_cli_windows.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
3012"C:\Program Files\Internet Explorer\iexplore.exe" http://127.0.0.1:7296/C:\Program Files\Internet Explorer\iexplore.exe
Sayo_CLI_Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3572"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
18 476
Read events
18 240
Write events
232
Delete events
4

Modification events

(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31005824
(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31005824
(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3012) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
20
Text files
6
Unknown types
14

Dropped files

PID
Process
Filename
Type
3012iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF7E03D6EB5B772F29.TMPgmc
MD5:7DC3A1068AEE3BF968790CA7824BD11A
SHA256:5E00B96674E0C01AF0C05387A19582F6C73E293270E7880B17283654B6040859
3012iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF156483F2AD4C19D0.TMPgmc
MD5:0AB9F0473D1BD726B832F57A6249FA6E
SHA256:ECA35024E616AB0DBAD36A18F2425B7F9843B72D1CD08D8E816382FD50C3266D
3012iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5FDF7FAC5AB2B6E4.TMPgmc
MD5:6FEEF7DE1E756201DA7642FAD06CBE6D
SHA256:6DA443C73CEEB752ABF6886152039BD323ABE6E55B04AFF952B5AF16D0ABB847
3012iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:939464A54F0ACD76E95DA616F5FB9045
SHA256:B7E8A65BE493B65F15F89E2B3C35444B7E8A481EFB2AE14C3EFFAE66A7E78163
3012iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:57BF86B778792BF4A4D327D336CE47AE
SHA256:AF6421F7A5B5590C49DAABABAC115F9CDCF21EAEA5EEC8673B0DC452C0E82C48
3012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{42C873D0-1D90-11EB-BA2C-12A9866C77DE}.datbinary
MD5:3B61E16EA5F9D307F3F02531D6235E4E
SHA256:8DAA48BB23FA896C172D8A70B18498632B04D04521A018786EF8803D4FAFEE0D
3012iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:F4E8E1998607C064097E76D49182E16F
SHA256:2A2C6809F81931D1D48C56C57BC969D89BD5E88313DB60F6EEA0D48A446D7CDF
3012iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:D81F3875FEBDA0BCD89884B3A7374181
SHA256:24A0648858B4C866C3DD80D7591B345ABC0F61A9692DC91633121A18BC44168C
3012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{7C2B606F-8873-11ED-80DA-12A9866C77DE}.datbinary
MD5:5898F3D9B984D7F3C896934D403424C8
SHA256:3EAC2787106D2ECED69653C5719FDFBCC1F4642BBA119EEAEF1A75F44829FC9F
3012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{7C2B6070-8873-11ED-80DA-12A9866C77DE}.datbinary
MD5:A1CD864CDB17AC052AC692CA6EF69933
SHA256:7F88DAAA1F0FB98EEEE1C5A40033868E638DA077BBD94FBEEE469A225CCFDC6A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3012
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3012
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
3012
iexplore.exe
GET
200
8.238.191.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?40d9f0034b78b6c2
US
compressed
4.70 Kb
whitelisted
3012
iexplore.exe
GET
200
8.238.191.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9b926f665869bdff
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3012
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3012
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3012
iexplore.exe
8.238.191.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
3012
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ctldl.windowsupdate.com
  • 8.238.191.126
  • 8.248.131.254
  • 8.241.11.126
  • 8.248.149.254
  • 8.253.95.249
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Sayo_CLI_Windows.exe