File name:

cp.exe

Full analysis: https://app.any.run/tasks/8eaa573e-dea3-4492-a381-ad3dbff47baf
Verdict: Malicious activity
Analysis date: April 03, 2024, 07:00:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

ADC187B1E5A6B66CA28FD3BE5F6790CC

SHA1:

CE467CB5D6275CD8289847C77ED9EBAEE1C04A89

SHA256:

C4E838A74E5BAF5DBD86BEEDFF96C1C9353B49ECF2AD362F47A4B134453701AB

SSDEEP:

3072:8RTvOkuMFCTSGMaU/IfDo2SnTPBBlKP+7BBlKP+n:JSD/I0V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cp.exe (PID: 2124)

    • Changes the autorun value in the registry

      • cp.exe (PID: 2124)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • cp.exe (PID: 2124)

    • Reads the Internet Settings

      • cp.exe (PID: 2124)
      • InstallUtil.exe (PID: 4004)

    • Connects to the server without a host name

      • InstallUtil.exe (PID: 4004)

  • INFO

    • Checks supported languages

      • cp.exe (PID: 2124)
      • InstallUtil.exe (PID: 4004)

    • Reads Environment values

      • cp.exe (PID: 2124)
      • InstallUtil.exe (PID: 4004)

    • Reads the computer name

      • cp.exe (PID: 2124)
      • InstallUtil.exe (PID: 4004)

    • Reads the software policy settings

      • cp.exe (PID: 2124)

    • Create files in a temporary directory

      • cp.exe (PID: 2124)

    • Reads the machine GUID from the registry

      • cp.exe (PID: 2124)
      • InstallUtil.exe (PID: 4004)

    • Creates files in the program directory

      • InstallUtil.exe (PID: 4004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:04:02 15:10:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 90624
InitializedDataSize: 8704
UninitializedDataSize: -
EntryPoint: 0x1800e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.3.3.0
ProductVersionNumber: 3.3.3.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: German
CharacterSet: Unicode
Comments: TraceRouteOK
CompanyName: Nenad Hrg SoftwareOK.com
FileDescription: TraceRouteOK for all MS Windows OS
FileVersion: 3, 3, 3, 0
InternalName: TraceRouteOK
LegalCopyright: Copyright © 2009-2023 www.SoftwareOK.com
LegalTrademarks: -
OriginalFileName: TraceRouteOK.exe
PrivateBuild: -
ProductName: Nenad Hrg TraceRouteOK
ProductVersion: 3, 3, 3, 0
SpecialBuild: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cp.exe installutil.exe

Process information

PID
CMD
Path
Indicators
Parent process
2124"C:\Users\admin\AppData\Local\Temp\cp.exe" C:\Users\admin\AppData\Local\Temp\cp.exe
explorer.exe
User:
admin
Company:
Nenad Hrg SoftwareOK.com
Integrity Level:
MEDIUM
Description:
TraceRouteOK for all MS Windows OS
Exit code:
0
Version:
3, 3, 3, 0
Modules
Images
c:\users\admin\appdata\local\temp\cp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4004"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
cp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
5 684
Read events
5 645
Write events
39
Delete events
0

Modification events

(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2124) cp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\cp_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
0
Suspicious files
3
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2124cp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:
SHA256:
2124cp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
2124cp.exeC:\Users\admin\AppData\Local\Temp\Cab2527.tmpcompressed
MD5:
SHA256:
2124cp.exeC:\Users\admin\AppData\Local\Temp\Tar2528.tmpbinary
MD5:
SHA256:
2124cp.exeC:\Users\admin\AppData\Local\Temp\vuupdate.exe
MD5:
SHA256:
4004InstallUtil.exeC:\ProgramData\Corporation\recovery.datbinary
MD5:
SHA256:
4004InstallUtil.exeC:\ProgramData\Corporation\recoverysol.datbinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
4
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2124
cp.exe
GET
200
23.53.40.73:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3eb62bd5d68144a3
unknown
unknown
4004
InstallUtil.exe
GET
200
185.172.128.87:80
http://185.172.128.87/recoverysol.dat
unknown
unknown
4004
InstallUtil.exe
GET
200
185.172.128.87:80
http://185.172.128.87/recovery.dat
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2124
cp.exe
50.7.236.50:443
pixeldrain.com
COGENT-174
NL
unknown
2124
cp.exe
23.53.40.73:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4004
InstallUtil.exe
185.172.128.87:80
OOO Nadym Svyaz Service
RU
unknown

DNS requests

Domain
IP
Reputation
pixeldrain.com
  • 50.7.236.50
  • 50.7.22.10
  • 66.90.86.26
whitelisted
ctldl.windowsupdate.com
  • 23.53.40.73
  • 23.53.40.19
  • 23.53.40.41
  • 23.53.40.18
  • 23.53.40.65
  • 23.53.40.26
  • 23.53.40.40
  • 23.53.40.67
  • 23.53.40.83
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO File Sharing Related Domain in DNS Lookup (pixeldrain .com)
2124
cp.exe
Misc activity
ET INFO File Sharing Domain Observed in TLS SNI (pixeldrain .com)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cp.exe