| File name: | 666.exe |
| Full analysis: | https://app.any.run/tasks/b62aa3b9-ab2c-498b-bde8-6d10d2f45ff7 |
| Verdict: | Malicious activity |
| Analysis date: | February 19, 2024, 11:54:49 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
| MD5: | 263947FDD3BD60D45DB8E53FF6BF372A |
| SHA1: | 8630EF413E3AF8EBBCC860627094969DBAD527AC |
| SHA256: | C13B8B0A461EDDA71DA893A2EF42F449AF94E08D6F1C6D311D57F5578D750DFE |
| SSDEEP: | 98304:d+fKGe95e0yHYhdyBzx9zUfs79/RZIqQbbFBc5G69PsH4aWBWL9: |
MALICIOUS
Drops the executable file immediately after the start
- 666.exe (PID: 3772)
Changes the login/logoff helper path in the registry
- 666.exe (PID: 3772)
Disables the Shutdown in the Start menu
- 666.exe (PID: 3772)
Disables the Run the Start menu
- 666.exe (PID: 3772)
Changes image file execution options
- 666.exe (PID: 3772)
UAC/LUA settings modification
- 666.exe (PID: 3772)
SUSPICIOUS
Executable content was dropped or overwritten
- 666.exe (PID: 3772)
Creates or modifies Windows services
- 666.exe (PID: 3772)
Changes the desktop background image
- 666.exe (PID: 3772)
The process executes via Task Scheduler
- ctfmon.exe (PID: 1904)
- sipnotify.exe (PID: 1184)
Reads the Internet Settings
- sipnotify.exe (PID: 1184)
Reads settings of System Certificates
- sipnotify.exe (PID: 1184)
INFO
Checks supported languages
- 666.exe (PID: 3772)
- IMEKLMG.EXE (PID: 2140)
- IMEKLMG.EXE (PID: 2152)
- wmpnscfg.exe (PID: 2420)
- wmpnscfg.exe (PID: 2440)
Reads the computer name
- 666.exe (PID: 3772)
- IMEKLMG.EXE (PID: 2140)
- IMEKLMG.EXE (PID: 2152)
- wmpnscfg.exe (PID: 2420)
- wmpnscfg.exe (PID: 2440)
Reads security settings of Internet Explorer
- sipnotify.exe (PID: 1184)
Manual execution by a user
- IMEKLMG.EXE (PID: 2140)
- IMEKLMG.EXE (PID: 2152)
- wmpnscfg.exe (PID: 2440)
- wmpnscfg.exe (PID: 2420)
Reads the software policy settings
- sipnotify.exe (PID: 1184)
Process checks whether UAC notifications are on
- IMEKLMG.EXE (PID: 2152)
- IMEKLMG.EXE (PID: 2140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (27.3) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (24.2) |
| .exe | | | UPX compressed Win32 Executable (23.7) |
| .scr | | | Windows screen saver (11.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit, No debug |
| PEType: | PE32 |
| LinkerVersion: | 3.31 |
| CodeSize: | 255264 |
| InitializedDataSize: | 10244 |
| UninitializedDataSize: | 8596 |
| EntryPoint: | 0x1960 |
| OSVersion: | 4 |
| ImageVersion: | 1 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 6.6.6.6 |
| ProductVersionNumber: | 6.6.6.6 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Patched |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | ~{‡‰ˆ |
| CompanyName: | ~{‡‰ˆ |
| FileDescription: | ~{‡‰ˆ |
| InternalName: | ~{‡‰ˆ |
| LegalCopyright: | ~{‡‰ˆ |
| LegalTrademarks: | ~{‡‰ˆ |
| OriginalFileName: | ~{‡‰ˆ |
| ProductName: | ~{‡‰ˆ |
| ProductVersion: | 6.6.6.6 |
| FileVersion: | 6.6.6.6 |
Total processes
87
Monitored processes
8
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1184 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: sipnotify Exit code: 0 Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
| 1904 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | — | taskeng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: CTF Loader Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2140 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 2152 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 2420 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2440 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3668 | "C:\Users\admin\AppData\Local\Temp\666.exe" | C:\Users\admin\AppData\Local\Temp\666.exe | — | explorer.exe | |||||||||||
User: admin Company: ~{‡‰ˆ Integrity Level: MEDIUM Description: ~{‡‰ˆ Exit code: 3221226540 Version: 6.6.6.6 Modules
| |||||||||||||||
| 3772 | "C:\Users\admin\AppData\Local\Temp\666.exe" | C:\Users\admin\AppData\Local\Temp\666.exe | explorer.exe | ||||||||||||
User: admin Company: ~{‡‰ˆ Integrity Level: HIGH Description: ~{‡‰ˆ Exit code: 0 Version: 6.6.6.6 Modules
| |||||||||||||||
Total events
3 963
Read events
3 842
Write events
117
Delete events
4
Modification events
| (PID) Process: | (3772) 666.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe |
| Operation: | write | Name: | Debugger |
Value: C:\Windows\death.exe | |||
| (PID) Process: | (3772) 666.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processhacker.exe |
| Operation: | write | Name: | Debugger |
Value: C:\Windows\death.exe | |||
| (PID) Process: | (3772) 666.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | ShutdownWithoutLogon |
Value: 0 | |||
| (PID) Process: | (3772) 666.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | ShutdownWithoutLogon |
Value: 0 | |||
| (PID) Process: | (3772) 666.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| Operation: | write | Name: | AutoAdminLogon |
Value: 1 | |||
| (PID) Process: | (3772) 666.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | AutoAdminLogon |
Value: 1 | |||
| (PID) Process: | (3772) 666.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | AutoAdminLogon |
Value: 1 | |||
| (PID) Process: | (3772) 666.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore |
| Operation: | write | Name: | DisableSR |
Value: 1 | |||
| (PID) Process: | (3772) 666.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | DisableTaskMgr |
Value: 1 | |||
| (PID) Process: | (3772) 666.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Operation: | write | Name: | NoControlPanel |
Value: 1 | |||
Executable files
2
Suspicious files
1
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1184 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\script.js | text | |
MD5:A2682382967C351F7ED21762F9E5DE9E | SHA256:36B1D26F1EC69685648C0528C2FCE95A3C2DBECF828CDFA4A8B4239A15B644A2 | |||
| 1184 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\microsoft-logo.png | image | |
MD5:B7C73A0CFBA68CC70C35EF9C63703CE4 | SHA256:1D8B27A0266FF526CF95447F3701592A908848467D37C09A00A2516C1F29A013 | |||
| 1184 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\styles.css | text | |
MD5:3383EEF350240253D7C2C2564381B3CB | SHA256:85443493D86D6D7FB0E07BC9705DFC9C858086FBA1B0E508092AB328D5F145E8 | |||
| 3772 | 666.exe | C:\Windows\666.bmp | image | |
MD5:95B1A43E40E5080A626372C916BC04AA | SHA256:432B44507D1665F903A65D3B04EF0E0C45CE9C03D1BF6B46D556E01C06138AA2 | |||
| 3772 | 666.exe | C:\Windows\first.exe | executable | |
MD5:D3361C7CF3B0E15539754E9A1AE26FC3 | SHA256:5CB3BCECC2FF7A9723E889A205A43FB35451585E6C6089E3FA843CB1A1F90A12 | |||
| 1184 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\metadata.json | binary | |
MD5:E8A970BA6CE386EED9A5E724F26212A6 | SHA256:7E06107D585D8FC7870998F3856DCC3E35800AA97E4406AAB83BC8444B6CBDE3 | |||
| 1184 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\en-us.html | html | |
MD5:9752942B57692148B9F614CF4C119A36 | SHA256:E31B834DD53FA6815F396FC09C726636ABF98F3367F0CF1590EF5EB3801C75D1 | |||
| 1184 | sipnotify.exe | C:\Users\admin\AppData\Local\microsoft\windows\SipNotify\eoscontent\main.jpg | image | |
MD5:B342ACE63F77961249A084C61EABC884 | SHA256:E5067BBA2095B5DA7C3171EC116E9A92337E24E471339B0860A160076EFE49B9 | |||
| 3772 | 666.exe | C:\Windows\death.exe | executable | |
MD5:F3346CEC01E6868EC4F593E7169DEC18 | SHA256:A29451E1B94AB7A4A4DE84BE214D39D3C6FF3343DC5DF041E627D1071B70201C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1184 | sipnotify.exe | HEAD | 200 | 23.212.215.38:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133528173261400000 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1100 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1184 | sipnotify.exe | 23.212.215.38:80 | query.prod.cms.rt.microsoft.com | AKAMAI-AS | AU | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |