analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe

Full analysis: https://app.any.run/tasks/aaa4f397-1ee3-4a84-9294-98de7d62c4fc
Verdict: Malicious activity
Analysis date: December 02, 2019, 22:12:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E486EDDFFD13BED33E68D6D8D4052270

SHA1:

53184DCFCEC948F02564234B5B8755FDDF066376

SHA256:

BF25B330975DC700BE3F1F6B1B3362E34EB84B89725D4936D893CDD4F1499E69

SSDEEP:

98304:lZnAjm6EkJuUj9NQf7ebPrApx/f14s5JCW+oEo74Am83DwsgYzhW0Mf8:lNl6XYUsfqD2/NhCVohvx3E5CX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • javaTM.exe (PID: 3420)
      • Java.exe (PID: 3040)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3892)
      • cmd.exe (PID: 940)
      • cmd.exe (PID: 3940)

    • Application was dropped or rewritten from another process

      • javaTM.exe (PID: 3420)
      • Java.exe (PID: 3040)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 1520)
      • schtasks.exe (PID: 1940)
      • schtasks.exe (PID: 624)

    • Writes to a start menu file

      • javaTM.exe (PID: 3420)

  • SUSPICIOUS

    • Checks supported languages

      • POWERPNT.EXE (PID: 3876)

    • Starts Microsoft Office Application

      • bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe (PID: 2928)

    • Creates files in the user directory

      • bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe (PID: 2928)
      • javaTM.exe (PID: 3420)
      • Java.exe (PID: 3040)

    • Executable content was dropped or overwritten

      • bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe (PID: 2928)
      • JavaAlq.exe (PID: 4076)
      • javaTM.exe (PID: 3420)

    • Starts CMD.EXE for commands execution

      • javaTM.exe (PID: 3420)
      • Java.exe (PID: 3040)

    • Loads Python modules

      • javaTM.exe (PID: 3420)
      • Java.exe (PID: 3040)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 3344)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe (PID: 2928)

    • Reads Microsoft Office registry keys

      • POWERPNT.EXE (PID: 3876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

ProductVersion: 13.0.0.0
ProductName: Documento
OriginalFileName: .\dist\Reclamo.exe
LegalTrademarks: (SO) Microsoft Windows
LegalCopyright: Microsoft Windows
InternalName: Microsoft Office Power Point
FileVersion: 13.0.0.0
FileDescription: Microsoft Office Power Point 97-2003 Slide Show
CompanyName: 2.449 KB
Comments: A build of the Microsoft Windows.
CharacterSet: Windows, Latin1
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 13.0.0.0
FileVersionNumber: 13.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x30b4
UninitializedDataSize: 1024
InitializedDataSize: 119808
CodeSize: 22528
LinkerVersion: 6
PEType: PE32
TimeStamp: 2008:08:16 22:26:10+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Aug-2008 20:26:10
Detected languages:
  • English - United States
Comments: A build of the Microsoft Windows.
CompanyName: 2.449 KB
FileDescription: Microsoft Office Power Point 97-2003 Slide Show
FileVersion: 13.0.0.0
InternalName: Microsoft Office Power Point
LegalCopyright: Microsoft Windows
LegalTrademarks: (SO) Microsoft Windows
OriginalFilename: .\dist\Reclamo.exe
ProductName: Documento
ProductVersion: 13.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 16-Aug-2008 20:26:10
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000057EC
0x00005800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.47541
.rdata
0x00007000
0x00001190
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.17644
.data
0x00009000
0x0001AF58
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.59051
.ndata
0x00024000
0x00009000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0002D000
0x0000E950
0x0000EA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.15135

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.09798
722
UNKNOWN
English - United States
RT_MANIFEST
2
4.97663
9640
UNKNOWN
English - United States
RT_ICON
3
5.19556
4136
UNKNOWN
English - United States
RT_ICON
4
6.06732
3752
UNKNOWN
English - United States
RT_ICON
5
6.34925
2216
UNKNOWN
English - United States
RT_ICON
6
4.40438
1384
UNKNOWN
English - United States
RT_ICON
7
5.44021
1128
UNKNOWN
English - United States
RT_ICON
8
2.76352
744
UNKNOWN
English - United States
RT_ICON
9
2.93515
296
UNKNOWN
English - United States
RT_ICON
103
2.88628
132
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
13
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe powerpnt.exe no specs javaalq.exe javatm.exe cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs cmd.exe no specs schtasks.exe no specs java.exe no specs cmd.exe no specs ipconfig.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Users\admin\AppData\Local\Temp\bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe" C:\Users\admin\AppData\Local\Temp\bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
explorer.exe
User:
admin
Company:
2.449 KB
Integrity Level:
MEDIUM
Description:
Microsoft Office Power Point 97-2003 Slide Show
Exit code:
0
Version:
13.0.0.0
3876"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\admin\AppData\Roaming\java.\Hermosa_XXX.pps"C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEbf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft PowerPoint
Exit code:
0
Version:
14.0.6009.1000
4076"C:\Users\admin\AppData\Roaming\java.\JavaAlq.exe" C:\Users\admin\AppData\Roaming\java.\JavaAlq.exe
bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3420"C:\Users\admin\AppData\Local\Temp\RarSFX0\javaTM.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\javaTM.exe
JavaAlq.exe
User:
admin
Company:
Java(TM) Platfom SE 7 U11
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
7.0.110.21
3892C:\Windows\system32\cmd.exe /c SCHTASKS /Delete /TN "Microsoft_up" /FC:\Windows\system32\cmd.exejavaTM.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1520SCHTASKS /Delete /TN "Microsoft_up" /FC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
940C:\Windows\system32\cmd.exe /c SCHTASKS /Delete /TN "Microsoft_up" /FC:\Windows\system32\cmd.exejavaTM.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
624SCHTASKS /Delete /TN "Microsoft_up" /FC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3940C:\Windows\system32\cmd.exe /c SCHTASKS /create /ST 00:00:01 /SC MINUTE /MO 60 /TR "\"C:\Users\admin\AppData\Roaming/MicroDes/JavaH.exe"\" /TN Microsoft_upC:\Windows\system32\cmd.exejavaTM.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1940SCHTASKS /create /ST 00:00:01 /SC MINUTE /MO 60 /TR "\"C:\Users\admin\AppData\Roaming/MicroDes/JavaH.exe"\" /TN Microsoft_upC:\Windows\system32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 476
Read events
1 412
Write events
0
Delete events
0

Modification events

No data
Executable files
100
Suspicious files
1
Text files
12
Unknown types
1

Dropped files

PID
Process
Filename
Type
3876POWERPNT.EXEC:\Users\admin\AppData\Local\Temp\CVREBE6.tmp.cvr
MD5:
SHA256:
4076JavaAlq.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\java.exeexecutable
MD5:B78E32681D191ED34A02D8E814AA8914
SHA256:F1D4EB894EA21F435F1A4986D1998473DB2754EA3E5BAD20031CC0CD49569391
4076JavaAlq.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\JavaUe.exeexecutable
MD5:1487B0E079D59641B401B3927D611B3D
SHA256:3D7BC2E260D48A3BF0C228F6D054B92067B6C99000D87ABB3DC78753A637C9AF
4076JavaAlq.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\w9xpopen.exeexecutable
MD5:465182247770234BA25C6C78B29DECD7
SHA256:81E882C3771E038306348F1FD332138D95B0F545F393843122F1635264E81003
4076JavaAlq.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\JavaH.exeexecutable
MD5:C16607A726C5FB5E74CDBE508026ED97
SHA256:F22749D502FAFB619868D6EC207991FDB7AC4D1D2BA0D1B1E4D02456A30BA7E4
4076JavaAlq.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\JavaS.exeexecutable
MD5:514814AA471F9923DF393A2F6EA51722
SHA256:D0D15987ADC76F56B79115DB12D3244259DAC4B63C1A11F0EF02C487C0B397BC
4076JavaAlq.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Javak.exeexecutable
MD5:BB5F90D26C56ECE868DD9EADE8832244
SHA256:CBB5EC654606691C0F8083AE285C4C7022B07ED0832797020FEB82482153907B
2928bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exeC:\Users\admin\AppData\Roaming\java\Hermosa_XXX.ppsdocument
MD5:67593BE1586FA629D9ECAE84B66C6A0C
SHA256:F21099E550F2CDEE99C5F40267C6D4BAC0F608F047ECD81DC89516C16FC87D25
4076JavaAlq.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\JavaD.exeexecutable
MD5:1FDC5E5D687814EE26E49B8A39725AAC
SHA256:9EF41CDB656944D242E107BE1465EF83118263977115291C166B9579CC1A3066
4076JavaAlq.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\javaTM.exeexecutable
MD5:942172D1F38E0770D0F31F919066B024
SHA256:FF28F588DDAFF462E63520468E95B2859A92C8C64E2E2649836793E7858CA69B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
java.serveblog.net
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.serveblog .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
bf25b330975dc700be3f1f6b1b3362e34eb84b89725d4936d893cdd4f1499e69.exe