analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

challenge.exe

Full analysis: https://app.any.run/tasks/b01c4112-e455-4cb8-9754-4539e13e698b
Verdict: Malicious activity
Analysis date: May 20, 2022, 16:12:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A2F33095EF25B4D5B061EB53A7FE6548

SHA1:

B38A8CB06507ADB966DFDB809403F8F7F64CA534

SHA256:

B0D41E9B8C941D207A0958B92F57083DD9B9246958BD32E2E6E90C4EE0E12419

SSDEEP:

24576:sHMFgBanP6wJlYixpC9gbYstRiNhmREhf4gnlzY1hcP0GeN53U:sHmgq1sUJOLlucev3U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • challenge.exe (PID: 3544)
      • challenge.exe (PID: 2104)
    • Changes the autorun value in the registry

      • challenge.exe (PID: 3544)
    • Drops executable file immediately after starts

      • challenge.exe (PID: 3544)
    • Loads the Task Scheduler COM API

      • challenge.exe (PID: 3544)
      • challenge.exe (PID: 2104)
  • SUSPICIOUS

    • Checks supported languages

      • challenge.exe (PID: 3544)
      • challenge.exe (PID: 2956)
      • challenge.exe (PID: 3488)
      • challenge.exe (PID: 2104)
    • Reads the computer name

      • challenge.exe (PID: 3544)
      • challenge.exe (PID: 2104)
    • Application launched itself

      • challenge.exe (PID: 2956)
      • challenge.exe (PID: 3544)
      • challenge.exe (PID: 3488)
    • Uses ICACLS.EXE to modify access control list

      • challenge.exe (PID: 3544)
    • Adds / modifies Windows certificates

      • challenge.exe (PID: 3544)
      • challenge.exe (PID: 2104)
    • Executable content was dropped or overwritten

      • challenge.exe (PID: 3544)
    • Drops a file with a compile date too recent

      • challenge.exe (PID: 3544)
  • INFO

    • Checks Windows Trust Settings

      • challenge.exe (PID: 3544)
      • challenge.exe (PID: 2104)
    • Reads settings of System Certificates

      • challenge.exe (PID: 3544)
      • challenge.exe (PID: 2104)
    • Checks supported languages

      • icacls.exe (PID: 124)
      • taskmgr.exe (PID: 2804)
    • Reads the computer name

      • icacls.exe (PID: 124)
      • taskmgr.exe (PID: 2804)
    • Manual execution by user

      • taskmgr.exe (PID: 2804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x9d410
UninitializedDataSize: -
InitializedDataSize: 623104
CodeSize: 768000
LinkerVersion: 10
PEType: PE32
TimeStamp: 2020:03:23 02:28:10+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 23-Mar-2020 01:28:10
Detected languages:
  • Divehi - Maldives
  • Spanish - Colombia
Debug artifacts:
  • C:\moz\vidaj.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 23-Mar-2020 01:28:10
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000BB674
0x000BB800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.84409
.data
0x000BD000
0x0008CB68
0x0000DC00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.436021
.rsrc
0x0014A000
0x00008128
0x00008200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.3864
.reloc
0x00153000
0x00098000
0x00067000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
7.73651

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.59146
2216
UNKNOWN
Spanish - Colombia
RT_ICON
2
5.66171
1736
UNKNOWN
Spanish - Colombia
RT_ICON
3
5.30736
1384
UNKNOWN
Spanish - Colombia
RT_ICON
4
5.29177
4264
UNKNOWN
Spanish - Colombia
RT_ICON
5
5.00679
2440
UNKNOWN
Spanish - Colombia
RT_ICON
6
5.00346
1128
UNKNOWN
Spanish - Colombia
RT_ICON
7
6.38956
9640
UNKNOWN
Spanish - Colombia
RT_ICON
8
6.81585
4264
UNKNOWN
Spanish - Colombia
RT_ICON
25
3.13413
564
UNKNOWN
Divehi - Maldives
RT_STRING
26
3.24387
1278
UNKNOWN
Divehi - Maldives
RT_STRING

Imports

GDI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start challenge.exe no specs challenge.exe icacls.exe no specs challenge.exe challenge.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Users\admin\AppData\Local\Temp\challenge.exe" C:\Users\admin\AppData\Local\Temp\challenge.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\challenge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
3544"C:\Users\admin\AppData\Local\Temp\challenge.exe" C:\Users\admin\AppData\Local\Temp\challenge.exe
challenge.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\challenge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
124icacls "C:\Users\admin\AppData\Local\c58b7cbd-61ee-46e0-875b-d3b840b32a7a" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\system32\icacls.exechallenge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
3488"C:\Users\admin\AppData\Local\Temp\challenge.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\challenge.exe
challenge.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\challenge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msctf.dll
2104"C:\Users\admin\AppData\Local\Temp\challenge.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\challenge.exe
challenge.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\challenge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wininet.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\user32.dll
2804"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
Total events
8 501
Read events
8 372
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
6
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
2104challenge.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\geo[1].jsonbinary
MD5:2BCBF0CD4C0832115E45930E51DA84C3
SHA256:5BA486280373A92E787E21045804D0F21221733331630064790993AD8491E5B5
3544challenge.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:93995AD095112907CFC088998C161574
SHA256:FD16D238BCAC3441688E7CA940C27BB02DF8F0BF43B26D8E551414A18748C1CC
3544challenge.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:459CBCB375424ECE984BE4EA83BD0BFB
SHA256:0411C4D57B484C7F7631996A06FE66CD527BAA80B30F8B02B2CB92716F8E6828
3544challenge.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:2FB358D1323E0228D9A514C291DC8043
SHA256:D5C5C6EB8434373A9D9682647E812108AD2AB4F8B2AFBFB6AA515E6E09590AA0
3544challenge.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
3544challenge.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:B025C2AF9438BFBE5FA1FF070C6B91E5
SHA256:D0F02F4EB9786A67F665AC5465BB24300EE3C5DF92C9E91871B3C62A499513C1
3544challenge.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:C04F441D0220712231531A90823834DB
SHA256:055641D3987AE98E2DD627D3214EA8084AE773A3DF9592191B86977C752A29E7
3544challenge.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\geo[1].jsonbinary
MD5:2BCBF0CD4C0832115E45930E51DA84C3
SHA256:5BA486280373A92E787E21045804D0F21221733331630064790993AD8491E5B5
3544challenge.exeC:\Users\admin\AppData\Local\c58b7cbd-61ee-46e0-875b-d3b840b32a7a\challenge.exeexecutable
MD5:A2F33095EF25B4D5B061EB53A7FE6548
SHA256:B0D41E9B8C941D207A0958B92F57083DD9B9246958BD32E2E6E90C4EE0E12419
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
8
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3544
challenge.exe
GET
200
172.64.155.188:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3544
challenge.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
3544
challenge.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ae62cb3ff0f7f47b
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3544
challenge.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
3544
challenge.exe
162.0.217.254:443
api.2ip.ua
AirComPlus Inc.
CA
suspicious
3544
challenge.exe
172.64.155.188:80
ocsp.comodoca.com
US
suspicious
2104
challenge.exe
162.0.217.254:443
api.2ip.ua
AirComPlus Inc.
CA
suspicious

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 162.0.217.254
shared
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.usertrust.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
kotob.top
malicious
tzgl.org
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query (2ip .ua)
3544
challenge.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
2104
challenge.exe
Potentially Bad Traffic
ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1 ETPRO signatures available at the full report
No debug info