analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SecurityTaskManager_Setup.exe

Full analysis: https://app.any.run/tasks/48b6a877-5146-4274-a35a-6b048e42ff54
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 16, 2019, 15:41:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

444439BC44C476297D7F631A152CE638

SHA1:

820FCB951D1AC8C2FDA1A1AE790F52EB1F8EDF2E

SHA256:

BC2D5417A6BF47D53C20C280F6E4B1A3E00DC0B6BBD3E26B2E591FD2F2DC4CC3

SSDEEP:

49152:4s+HgXcROcfipeyNcRmyQLCUOE+N+2JLKmltavtaKhGiD79l+90U:4s+9ROcapelxQLGEjscg6939l+V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • setup.exe (PID: 2236)
      • TaskMan.exe (PID: 1292)
      • u[1].exe (PID: 3948)
    • Loads dropped or rewritten executable

      • explorer.exe (PID: 352)
      • ctfmon.exe (PID: 708)
      • TaskMan.exe (PID: 1292)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 408)
    • Downloads executable files from IP

      • iexplore.exe (PID: 408)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 1556)
      • cmd.exe (PID: 2584)
    • Loads the Task Scheduler COM API

      • TaskMan.exe (PID: 1292)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SecurityTaskManager_Setup.exe (PID: 2488)
      • setup.exe (PID: 2236)
      • iexplore.exe (PID: 408)
      • iexplore.exe (PID: 584)
    • Creates a software uninstall entry

      • setup.exe (PID: 2236)
    • Creates files in the program directory

      • setup.exe (PID: 2236)
      • TaskMan.exe (PID: 1292)
    • Executed via COM

      • explorer.exe (PID: 1820)
    • Starts Internet Explorer

      • explorer.exe (PID: 352)
    • Creates files in the user directory

      • TaskMan.exe (PID: 1292)
    • Starts SC.EXE for service management

      • cmd.exe (PID: 2584)
      • cmd.exe (PID: 1556)
    • Starts CMD.EXE for self-deleting

      • u[1].exe (PID: 3948)
    • Starts CMD.EXE for commands execution

      • u[1].exe (PID: 3948)
    • Reads Internet Cache Settings

      • TaskMan.exe (PID: 1292)
      • explorer.exe (PID: 352)
    • Searches for installed software

      • TaskMan.exe (PID: 1292)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 584)
    • Reads internet explorer settings

      • iexplore.exe (PID: 408)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 408)
      • iexplore.exe (PID: 584)
    • Changes internet zones settings

      • iexplore.exe (PID: 584)
    • Reads the hosts file

      • TaskMan.exe (PID: 1292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (32.1)
.exe | Win64 Executable (generic) (28.5)
.exe | Winzip Win32 self-extracting archive (generic) (23.7)
.dll | Win32 Dynamic Link Library (generic) (6.7)
.exe | Win32 Executable (generic) (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:02:24 16:50:34+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 77824
InitializedDataSize: 65536
UninitializedDataSize: -
EntryPoint: 0xaf1e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Feb-2009 15:50:34
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 24-Feb-2009 15:50:34
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00012775
0x00013000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.50181
.rdata
0x00014000
0x00003822
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.98659
.data
0x00018000
0x0000E6E4
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.97381
.rsrc
0x00027000
0x0000976C
0x0000A000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.54785
_winzip_
0x00031000
0x002BA000
0x002BA000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
7.99948

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.82954
989
Latin 1 / Western European
English - United States
RT_MANIFEST
2
4.03621
744
Latin 1 / Western European
English - United States
RT_ICON
3
3.14459
296
Latin 1 / Western European
English - United States
RT_ICON
4
5.56342
3752
Latin 1 / Western European
English - United States
RT_ICON
5
5.99214
2216
Latin 1 / Western European
English - United States
RT_ICON
6
3.69605
1384
Latin 1 / Western European
English - United States
RT_ICON
7
5.83382
9640
Latin 1 / Western European
English - United States
RT_ICON
8
6.01045
4264
Latin 1 / Western European
English - United States
RT_ICON
9
4.68735
1128
Latin 1 / Western European
English - United States
RT_ICON
63
3.18826
764
Latin 1 / Western European
English - United States
RT_STRING

Imports

COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
17
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start securitytaskmanager_setup.exe no specs securitytaskmanager_setup.exe setup.exe explorer.exe no specs explorer.exe no specs taskman.exe no specs explorer.exe no specs ctfmon.exe no specs iexplore.exe iexplore.exe u[1].exe cmd.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs ping.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3912"C:\Users\admin\Desktop\SecurityTaskManager_Setup.exe" C:\Users\admin\Desktop\SecurityTaskManager_Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2488"C:\Users\admin\Desktop\SecurityTaskManager_Setup.exe" C:\Users\admin\Desktop\SecurityTaskManager_Setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2236".\setup.exe"C:\Users\admin\AppData\Local\Temp\WZSE0.TMP\setup.exe
SecurityTaskManager_Setup.exe
User:
admin
Company:
Neuber Software
Integrity Level:
HIGH
Description:
Setup program
Exit code:
0
Version:
1, 0, 0, 1
2384"C:\Windows\explorer.exe" "C:\Program Files\Security Task Manager\taskman.exe"C:\Windows\explorer.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1820C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1292"C:\Program Files\Security Task Manager\TaskMan.exe" C:\Program Files\Security Task Manager\TaskMan.exeexplorer.exe
User:
admin
Company:
Neuber Software
Integrity Level:
MEDIUM
Description:
Security Task Manager
Version:
2.3.3.0
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
708C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
584"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
408"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:584 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
4 906
Read events
4 594
Write events
0
Delete events
0

Modification events

No data
Executable files
18
Suspicious files
346
Text files
182
Unknown types
16

Dropped files

PID
Process
Filename
Type
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\leggimi.txttext
MD5:693EA8D965EEE7AAFD435C2E89474736
SHA256:70CFE07B5936838059321CE558058797EA3C4C3619BD53DBE05AE3B633AE8BFE
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\liesmich.txttext
MD5:C002D98FC4F20FD865C5E9A827846227
SHA256:D8A27606908582E5DE18916E04937CAF26C1F3F0803CA4D1A5841A4CD541F10E
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\readme.txttext
MD5:467D46B80FEE8540EF1013C05F9E9C61
SHA256:9E5C9FD3C3E7BEE41EA0E4405FEE75E6B614D14BCF2B07365150B11E65B54191
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\file_id.diztext
MD5:85F533F1E1D0C11BE713C91F29BBAD54
SHA256:6FED71E2951B70F3E340A982B3D1A2914768D8C9691E6CFF465DED170944BA77
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\TaskMan.exeexecutable
MD5:3733003588ACFBC9FF5DF9765C80D405
SHA256:0C87006A32E187CB1FEF06DC9F19B547C78909E88AB59CC89D7B53AEBBAE9B4A
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\SpyProDll.dllexecutable
MD5:642021C03975D907D65803AAE9EC3DEE
SHA256:0289FF37A7D4B6BD44AC96C714FE58329D4B1FDEA53F744AC3A5AE731236F87C
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\manual_de.pdfpdf
MD5:17BBDF9FC220E9EFFACAA5A76CF4B688
SHA256:AF89A8B1030FAF760C16B66524F8A04188E49669FAA6F8123E2A4BF0ABAA75BC
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\manual_en.pdfpdf
MD5:F8DC026AC75362E1E5E41469CDDAE40C
SHA256:D97AAD84FC29C2B71FF9D07C645BB1B3DB779412F5673F5BD37B55520710CBCE
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\uninstal.exeexecutable
MD5:FA9F0F001EEAB09B8FADAB100AD60D7E
SHA256:709C6C2FB71F06AD8DAAE77E7AF11B3CEC059F25793D098D2254572A788EE120
2488SecurityTaskManager_Setup.exeC:\Users\admin\AppData\Local\Temp\WZSE0.TMP\Setup.exeexecutable
MD5:694BA0B43CC2EC5055A7FFA3C4FC3AAE
SHA256:A771E2F459F171469C5EF3407034A7DDA4ECE86F5B4DB943CC728696DAAD6295
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
408
iexplore.exe
GET
200
173.247.239.186:80
http://173.247.239.186/u.exe
US
executable
37.5 Kb
malicious
3948
u[1].exe
GET
200
185.112.156.92:8092
http://185.112.156.92:8092/ups.html
HU
text
12 b
suspicious
584
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
584
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3948
u[1].exe
185.112.156.92:8092
DoclerWeb Kft.
HU
suspicious
408
iexplore.exe
173.247.239.186:80
Corporate Colocation Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
408
iexplore.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
408
iexplore.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
408
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
408
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
408
iexplore.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info