File name:

shellcode-exe-2

Full analysis: https://app.any.run/tasks/288e1621-f888-4dae-8a0c-a75130b5f963
Verdict: Malicious activity
Analysis date: December 21, 2023, 09:06:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

3BE769E47E8001375F596660EFD5B9EA

SHA1:

40A96CABE327EF335FB7217EE92FF2291CCE4E4D

SHA256:

C17BAA30070C87C8ADD483842FFA8C4655A226BA4EC6E296ECEE90490FD53536

SSDEEP:

6144:u/xGEE1S0tKnB1yqX19Xkf4G/9nMPH2p20GbNuWMk/OCXZwl:u/xG40tKBvl9S4G/BWH2U0GbbtXZwl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Known privilege escalation attack

      • dllhost.exe (PID: 1820)

  • SUSPICIOUS

    • Reads the Internet Settings

      • wab.exe (PID: 1432)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 1432)

    • Reads settings of System Certificates

      • wab.exe (PID: 1432)

    • Checks Windows Trust Settings

      • wab.exe (PID: 1432)

  • INFO

    • Checks supported languages

      • shellcode-exe-2.exe (PID: 2040)
      • wab.exe (PID: 1432)
      • wab.exe (PID: 1736)

    • Drops the executable file immediately after the start

      • shellcode-exe-2.exe (PID: 2040)

    • Checks proxy server information

      • wab.exe (PID: 1432)

    • Reads the computer name

      • wab.exe (PID: 1432)
      • wab.exe (PID: 1736)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 1432)
      • wab.exe (PID: 1736)

    • Reads Environment values

      • wab.exe (PID: 1432)

    • Creates files or folders in the user directory

      • wab.exe (PID: 1432)

    • Checks transactions between databases Windows and Oracle

      • wab.exe (PID: 1432)

    • Reads product name

      • wab.exe (PID: 1432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.2)
.exe | Win16/32 Executable Delphi generic (12)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.23
CodeSize: 512
InitializedDataSize: 256000
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start shellcode-exe-2.exe no specs wab.exe CMSTPLUA no specs wab.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1432"C:\Program Files\windows mail\wab.exe"C:\Program Files\windows mail\wab.exe
shellcode-exe-2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\mshtml.dll
c:\program files\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1736"C:\Program Files\windows mail\wab.exe" C:\Program Files\windows mail\wab.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Contacts
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\program files\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1820C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2040"C:\Users\admin\Downloads\shellcode-exe-2.exe" C:\Users\admin\Downloads\shellcode-exe-2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\shellcode-exe-2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
Total events
5 022
Read events
4 988
Write events
34
Delete events
0

Modification events

(PID) Process:(1432) wab.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1432) wab.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1432) wab.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1432) wab.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1432) wab.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1432) wab.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1432) wab.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1432) wab.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1432) wab.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1820) dllhost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
10
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:37F18D977725732F9E8F578D7D33769D
SHA256:CF5CFCFEA99E598D2B1EC56213199B18F8BCE560B4AD21FB0D460503FD48F20F
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:60803FB66DE57D914FF4E2131BB50D53
SHA256:B9676F33259264AF2951CEBF86232AF1A387EA41ECD21199E483A34686DB9FC3
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_C7CF4FA7BCF717E50C9341D69112D7D7der
MD5:A86E4233E1303A3B663E4862EE599820
SHA256:837233FDC05B94E3BDF8B2F7DA6A8AB1FA14C30588AB468C1537D04F634BEF80
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:83ECD0EFF8061AC74110BC2985C699D5
SHA256:1182BB624427DACD5CCFA30BFD68F4CC7C65800B7F11EFE7EF32224788A023DD
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_C7CF4FA7BCF717E50C9341D69112D7D7binary
MD5:D2A9D9BE2E28B2088919C7FE7F9807A4
SHA256:8AC0997CF485D8F4C641AEAFA71647B39202A90C6565BE508448963661EDF37A
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:AC89A852C2AAA3D389B2D2DD312AD367
SHA256:0B720E19270C672F9B6E0EC40B468AC49376807DE08A814573FE038779534F45
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:7C2A77E778DCB9C8A7B5172C01F8EDAC
SHA256:583940DDD6EF99FEFE71D77141CD398625CEB5CBD62EEF02A3BA29B9D167AB5B
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96binary
MD5:326E1B5EACF32610862C68DD91BDB7B0
SHA256:FDF3BBA1B8E0E2387C0ED145FF0F4F8B3C3D1A4AA9F39CE968F4E7298F465CBD
1432wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96binary
MD5:F613226C37F67FE36566CE1079224D4B
SHA256:1AF049C9618EAF0E7B5AFC39265BC13B4AB5C9352E5FBC3E69E674654409D6D3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1432
wab.exe
GET
200
95.101.54.241:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b88312853f284b49
unknown
compressed
4.66 Kb
1432
wab.exe
GET
200
216.58.214.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
1432
wab.exe
GET
200
216.58.214.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
1432
wab.exe
GET
200
216.58.214.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGpYRvzN3kAuEMlMWsqSFLc%3D
unknown
binary
471 b
1080
svchost.exe
GET
304
95.101.54.248:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a414549a770d7263
unknown
1432
wab.exe
GET
200
216.58.214.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCoEWSzoUVcHQncueI8VZKp
unknown
binary
472 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1432
wab.exe
142.250.181.238:443
drive.google.com
GOOGLE
US
unknown
1432
wab.exe
95.101.54.241:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1432
wab.exe
216.58.214.131:80
ocsp.pki.goog
GOOGLE
US
unknown
1432
wab.exe
142.250.181.225:443
doc-0c-10-docs.googleusercontent.com
GOOGLE
US
unknown
1080
svchost.exe
95.101.54.248:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
drive.google.com
  • 142.250.181.238
unknown
ctldl.windowsupdate.com
  • 95.101.54.241
  • 2.16.202.104
  • 95.101.54.248
  • 95.101.54.227
  • 2.16.202.73
  • 2.16.202.64
  • 95.101.54.235
  • 95.101.54.243
  • 95.101.54.232
  • 2.16.202.72
  • 2.16.202.9
  • 2.16.202.65
  • 2.16.202.57
  • 2.16.202.98
  • 2.16.202.67
unknown
ocsp.pki.goog
  • 216.58.214.131
unknown
doc-0c-10-docs.googleusercontent.com
  • 142.250.181.225
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
shellcode-exe-2