analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Fichero Análsis 1.exe

Full analysis: https://app.any.run/tasks/f3593e2b-b813-4fd0-b9a0-4dd5e7056981
Verdict: Malicious activity
Analysis date: February 22, 2020, 06:28:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

E2BF42217A67E46433DA8B6F4507219E

SHA1:

DAF263702F11DC0430D30F9BF443E7885CF91FCB

SHA256:

AE8A1C7EB64C42EA2A04F97523EBF0844C27029EB040D910048B680F884B9DCE

SSDEEP:

384:WFVmdLgy5rg8g3SRrmlmwTwJrgmoS+GFbenP56cbwRG10IOp2n40iFLcH:GX4g8LRjhgmoDGFyP3+zb4nGY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses SVCHOST.EXE for hidden code execution

      • Fichero Análsis 1.exe (PID: 916)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2952)
      • WINWORD.EXE (PID: 3588)
    • Manual execution by user

      • WINWORD.EXE (PID: 2952)
      • WINWORD.EXE (PID: 3588)
      • explorer.exe (PID: 2648)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2952)
      • WINWORD.EXE (PID: 3588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:04:08 19:54:23+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 12288
InitializedDataSize: 36864
UninitializedDataSize: -
EntryPoint: 0x1adb
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 08-Apr-2011 17:54:23

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 08-Apr-2011 17:54:23
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00002E96
0x00003000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.40292
.rdata
0x00004000
0x000008F2
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.55009
.data
0x00005000
0x000007DC
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.761837
.rsrc
0x00006000
0x00006084
0x00007000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.47335

Resources

Title
Entropy
Size
Codepage
Language
Type
LOCALIZATION
4.54319
24576
UNKNOWN
UNKNOWN
UNICODE

Imports

KERNEL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fichero análsis 1.exe no specs svchost.exe no specs winword.exe no specs winword.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
916"C:\Users\admin\AppData\Local\Temp\Fichero Análsis 1.exe" C:\Users\admin\AppData\Local\Temp\Fichero Análsis 1.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2824"C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exeFichero Análsis 1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Exit code:
3221225794
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2952"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\systemoh.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3588"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\accordingchicago.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2648"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 747
Read events
1 195
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
4
Unknown types
6

Dropped files

PID
Process
Filename
Type
2952WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR85B3.tmp.cvr
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{12E07076-9B90-49B3-B85F-94C376F12DBE}.tmp
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{77AD3AAE-036B-4B73-B28D-00DBF602A6C4}.tmp
MD5:
SHA256:
2952WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3A7E37B2-82C6-4070-8223-E7286749713D}.tmp
MD5:
SHA256:
3588WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE95E.tmp.cvr
MD5:
SHA256:
3588WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:CAC6B7406D063DCD44F90355D73EDEEF
SHA256:01A620D6F9B9D3E316AB701A03F6ADA6E395E81936E7C694770B73D4CB7AC89D
2952WINWORD.EXEC:\Users\admin\Desktop\~$stemoh.rtfpgc
MD5:663E4586846EE1D2709433A3E7BD02D7
SHA256:FB423BD84FAA91B8B3CD3B938DCCA4DF681155BBD5C150D2C73DB83A5948B2E1
3588WINWORD.EXEC:\Users\admin\Desktop\~$cordingchicago.rtfpgc
MD5:EED710FC2B08397563DC686634D50045
SHA256:D07CBAF89A9DE8284E2746FE982C9752C78C06808C23582C02BE01CF23AFF198
2952WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:105BEE444BB5AAAB6A78A15AC0D52711
SHA256:0A11C77F12399FE76D41F35C08ED1C12BFBD277EB297FCB5ED0F5C8A0B36AA5B
2952WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\systemoh.rtf.LNKlnk
MD5:67E9B7E19124B3EA0C2F0CA268A59E6D
SHA256:BDCF411996A90A8058E6E8B32CC2BC0545131EDA73B5800C76EF0567879BC590
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info