analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

fcdfg.exe

Full analysis: https://app.any.run/tasks/ee35661c-882e-4bee-8c34-2cb73369a113
Verdict: Malicious activity
Analysis date: September 30, 2020, 04:16:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C243C0A3E2B6079B9AE736DD954ADAB2

SHA1:

F45085742D3762829152C82A6ED05A3AA868B985

SHA256:

C4BD0BAEC275A7F967ADF3DF4D30FF38BAB699B87C2106CF652EEA8311D26C0D

SSDEEP:

24576:NeLH4AlFanAsf8so7JJnHfjthf/dTYCjQ2au6YFLTnY36nGp0MR5:YjGAHP/ZlUCjDau6YF/nY3CGeM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • fcdfg.exe (PID: 3852)

    • Modifies files in Chrome extension folder

      • fcdfg.exe (PID: 3852)

    • Actions looks like stealing of personal data

      • fcdfg.exe (PID: 3852)

  • SUSPICIOUS

    • Reads the cookies of Google Chrome

      • fcdfg.exe (PID: 3852)

    • Reads the cookies of Mozilla Firefox

      • fcdfg.exe (PID: 3852)

    • Creates files in the program directory

      • fcdfg.exe (PID: 3852)

    • Creates files in the user directory

      • fcdfg.exe (PID: 3852)

  • INFO

    • Manual execution by user

      • WINWORD.EXE (PID: 1544)
      • rundll32.exe (PID: 2252)
      • WINWORD.EXE (PID: 2896)
      • NOTEPAD.EXE (PID: 3388)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1544)
      • WINWORD.EXE (PID: 2896)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1544)
      • WINWORD.EXE (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

AssemblyVersion: 0.0.0.0
ProductVersion: 0.0.0.0
ProductName: -
OriginalFileName: Tree.exe
LegalTrademarks: -
LegalCopyright: -
InternalName: Tree.exe
FileVersion: 0.0.0.0
FileDescription: rw
CompanyName: -
Comments: rw
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2b40
UninitializedDataSize: -
InitializedDataSize: 5120
CodeSize: 19456
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 2018:06:25 17:13:43+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Jun-2018 15:13:43
Comments: rw
CompanyName: -
FileDescription: rw
FileVersion: 0.0.0.0
InternalName: Tree.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFilename: Tree.exe
ProductName: -
ProductVersion: 0.0.0.0
Assembly Version: 0.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 25-Jun-2018 15:13:43
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
0x0000E000
0x00280000
0x0002BA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99834
.rsrc
0x0000C000
0x00002000
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.90396
.data
0x0028E000
0x000E4000
0x000E2A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.9786

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.06644
3362
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

advapi32.dll
gdi32.dll
kernel32.dll
mscoree.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fcdfg.exe winword.exe no specs winword.exe no specs notepad.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3852"C:\Users\admin\AppData\Local\Temp\fcdfg.exe" C:\Users\admin\AppData\Local\Temp\fcdfg.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
rw
Version:
0.0.0.0
1544"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\lotspurchase.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2896"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\~$tspurchase.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3388"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\key.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2252"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\himimages.rtf.encC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 864
Read events
1 264
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1 842
Text files
7
Unknown types
44

Dropped files

PID
Process
Filename
Type
3852fcdfg.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.encbinary
MD5:E85B456FD4D8AD3878C09C1FE8307D3D
SHA256:CE96147E9A3CCBFCFB076FE53F8EC178CB28F215A1671C86A97D4E2668835EEE
3852fcdfg.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.encbinary
MD5:93E75A4605BDB42BA878004BE5FF9AD1
SHA256:B58374194B08A93D1046339788417685E8064698676139910C4B71DCAC4C3844
3852fcdfg.exeC:\Users\admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.encbinary
MD5:AC336E2D2F2A95847A9916E83F78F03F
SHA256:84F4684EF9022FA1DE0AF70CF30AD6F7AF44EF801606E443C4A517264064E48B
3852fcdfg.exeC:\Users\admin\AppData\Local\IconCache.db.encbinary
MD5:B555A05A9958A7E950721026911479E1
SHA256:1AA68216DB0DD0CECEAD000548BF46224D77997E9E78476ED670D7771DF9CEC1
3852fcdfg.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.encbinary
MD5:402588704B22A26F0D502242388E0881
SHA256:24DAAC8725DAAAE411C1DC8691331440017A8999763D417C765D5528AF6118ED
3852fcdfg.exeC:\Users\admin\AppData\Local\GDIPFONTCACHEV1.DAT.encbinary
MD5:11F52ED504910C8BFFF7993EC72FA736
SHA256:FB32595BA38FCF52A55BBF787F858463A74211271A6AFA3E4709423A28604FBE
3852fcdfg.exeC:\Users\admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.encbinary
MD5:64A110DA1D42D6A6F96B13B471EEC78C
SHA256:42462FF6196AF53BD6EF6D8874BD6DB6C7638684BFFB3854A41955028ED720B0
3852fcdfg.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.encbinary
MD5:05B2EE63985F1CB29B2BCE3A2794A8CC
SHA256:F09928B8C6A95423D4549C38D70880AD2AE3B9954A98C2128E1B84563B3B054C
3852fcdfg.exeC:\Users\admin\AppData\Local\Adobe\Color\ACECache11.lst.encbinary
MD5:2C73E7AB2245D9E924853A05F5B1AB47
SHA256:AE909392D6FDF6F04A04546522F094397A194EE1CA642ADF322A03FD13FB1B2B
3852fcdfg.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat.encbinary
MD5:A6D0BAF873E072F3C90A9CFD695AE583
SHA256:9A03FE969FE0E7779605F8F78BB36C3F120EBC443A7BDD31400BA1C536CA79DF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
fcdfg.exe