File name:

c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de

Full analysis: https://app.any.run/tasks/58a2ca5c-6422-447a-a05d-35d3b56a963e
Verdict: Malicious activity
Analysis date: December 06, 2022, 05:14:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
autoit
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

61494A835CE331D776C27FC6584930C7

SHA1:

B8C85F0CFB217441608E7019F193579E03047082

SHA256:

C870025F693DF5311E58F7213B426F7EC204E21255A4737723BF5EFE24FF72DE

SSDEEP:

49152:O2Jd3BBHWSCVaUMmKaEahivTVLW2Rx0fC+jeE6N:O2j3BzCVVFKa+7I5fC+S7N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Engine.exe (PID: 3080)
      • Maui.exe.pif (PID: 3932)
      • owokVWCwmi.exe.com (PID: 3272)
    • Drops the executable file immediately after the start

      • Maui.exe.pif (PID: 3932)
    • Writes to the Start menu file

      • cmd.exe (PID: 2628)
  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 1040)
    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2304)
    • Executable content was dropped or overwritten

      • Maui.exe.pif (PID: 3932)
    • Drops the AutoIt3 executable file

      • Maui.exe.pif (PID: 3932)
    • Reads the Windows owner or organization settings

      • Engine.exe (PID: 3080)
    • Searches for installed software

      • jsc.exe (PID: 3092)
    • Uses TASKKILL.EXE to terminate process

      • jsc.exe (PID: 3092)
    • Reads the Internet Settings

      • jsc.exe (PID: 3092)
    • Reads browser cookies

      • jsc.exe (PID: 3092)
    • Executes via Task Scheduler

      • owokVWCwmi.exe.com (PID: 3272)
    • Connects to unusual port

      • jsc.exe (PID: 3092)
  • INFO

    • Checks supported languages

      • Engine.exe (PID: 3080)
      • c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe (PID: 1328)
      • Maui.exe.pif (PID: 3932)
      • jsc.exe (PID: 3092)
      • owokVWCwmi.exe.com (PID: 3272)
    • Reads the computer name

      • Engine.exe (PID: 3080)
      • Maui.exe.pif (PID: 3932)
      • jsc.exe (PID: 3092)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2304)
    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 860)
      • powershell.exe (PID: 3140)
    • Reads mouse settings

      • Maui.exe.pif (PID: 3932)
      • owokVWCwmi.exe.com (PID: 3272)
    • Manual execution by a user

      • cmd.exe (PID: 2628)
    • Reads product name

      • jsc.exe (PID: 3092)
    • Reads Environment values

      • jsc.exe (PID: 3092)
    • Creates files in the program directory

      • jsc.exe (PID: 3092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (49.2)
.exe | Win32 Executable Delphi generic (16.2)
.scr | Windows screen saver (14.9)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • English - United States
  • Hebrew - Israel
Comments: Roof Insured Games Pope
CompanyName: One Underlying Ours Qkp.
FileDescription: Webcast College Safely
FileVersion: 2.1.1.7
InternalName:
LegalCopyright: Copyright (C) Llc In Come Igy.
LegalTrademarks: Memories Hosts
ProductName: Booty Automated
ProductVersion: 2.1.1.7

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: 0
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 26
e_oemid: 0
e_oeminfo: 0
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
149628
150016
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.49182
DATA
155648
7936
8192
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.2617
BSS
163840
2313
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
167936
4408
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.77365
.tls
176128
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
180224
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.200582
.reloc
184320
8448
8704
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.69588
.rsrc
196608
10876
11264
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
4.93017

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.67967
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
4091
2.39
120
Latin 1 / Western European
UNKNOWN
RT_STRING
4092
2.94341
244
Latin 1 / Western European
UNKNOWN
RT_STRING
4093
2.8794
196
Latin 1 / Western European
UNKNOWN
RT_STRING
4094
3.19303
748
Latin 1 / Western European
UNKNOWN
RT_STRING
4095
3.27138
832
Latin 1 / Western European
UNKNOWN
RT_STRING
4096
3.16152
704
Latin 1 / Western European
UNKNOWN
RT_STRING
1 (#2)
3.45462
744
Latin 1 / Western European
Hebrew - Israel
RT_ICON
DVCLAL
4
16
Latin 1 / Western European
UNKNOWN
RT_RCDATA
PACKAGEINFO
5.34155
348
Latin 1 / Western European
UNKNOWN
RT_RCDATA

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
gdi32.dll
kernel32.dll
kernel32.dll (#2)
kernel32.dll (#3)
kernel32.dll (#4)
oleaut32.dll
shell32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
14
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe no specs engine.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs findstr.exe no specs maui.exe.pif ping.exe no specs cmd.exe schtasks.exe no specs jsc.exe taskkill.exe no specs owokvwcwmi.exe.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
1328"C:\Users\admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe" C:\Users\admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exeExplorer.EXE
User:
admin
Company:
One Underlying Ours Qkp.
Integrity Level:
MEDIUM
Description:
Webcast College Safely
Exit code:
0
Version:
2.1.1.7
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
3080C:\Users\admin\AppData\Local\Temp\SETUP_10716\Engine.exe /TH_ID=_1580 /OriginExe="C:\Users\admin\AppData\Local\Temp\c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe"C:\Users\admin\AppData\Local\Temp\SETUP_10716\Engine.exec870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exe
User:
admin
Company:
Pantaray Research Ltd.
Integrity Level:
MEDIUM
Description:
Setup/UnInstall Engine
Exit code:
0
Version:
9.1.0.6
Modules
Images
c:\users\admin\appdata\local\temp\setup_10716\engine.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cabinet.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
1040C:\Windows\system32\cmd.exe /c cmd < Translated.cdaC:\Windows\system32\cmd.exeEngine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2304cmd C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3140powershell get-process avastui C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
860powershell get-process avgui C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\atl.dll
3776findstr /V /R "^dMaM
quot; Thousands.cda
C:\Windows\system32\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
3932Maui.exe.pif c C:\Users\admin\AppData\Local\Temp\npgtkcrh.jvv\Maui.exe.pif
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Version:
3, 3, 14, 5
Modules
Images
c:\users\admin\appdata\local\temp\npgtkcrh.jvv\maui.exe.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
2952ping localhost -n 8C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2628cmd /c echo [InternetShortcut] > "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owokVWCwmi.url" & echo URL="C:\Users\admin\AppData\Local\jucxIOkyRf\TXLYzJN.vbs" >> "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\owokVWCwmi.url"C:\Windows\system32\cmd.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
Total events
4 875
Read events
4 863
Write events
12
Delete events
0

Modification events

(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3092) jsc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\jsc_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
2
Suspicious files
7
Text files
18
Unknown types
1

Dropped files

PID
Process
Filename
Type
1328c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exeC:\Users\admin\AppData\Local\Temp\SETUP_10716\00002#Translated.cdatext
MD5:FADBCD2FB4BE032FF6145B94EEED068E
SHA256:C288B141D2988401EF472325B601D4EE2B4A16B71E6637A7F252556FABE59412
1328c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exeC:\Users\admin\AppData\Local\Temp\SETUP_10716\00001#Thousands.cdabinary
MD5:36F5C4696F54A98E1BF256DF033E34CF
SHA256:656AF4BEE6B89094A6828394BF7EA26058ABF5186AB606B15440AC1B33FDADCD
1328c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exeC:\Users\admin\AppData\Local\Temp\SETUP_10716\Modern_Setup.bmpimage
MD5:DED1D8DB477CC655B17E16C6FE989707
SHA256:7A5D14D64EF24CDF895F947700F6E8444940C3CF5B23E868F2B3A14F0FE14206
1328c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exeC:\Users\admin\AppData\Local\Temp\SETUP_10716\Setup.txttext
MD5:E143502369BA42EA20E32419536742AA
SHA256:B242BD6554CF480C29129C89B693A49CD37452A796211E8A6B747423C93BCE8F
1328c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exeC:\Users\admin\AppData\Local\Temp\SETUP_10716\Modern_Icon.bmpimage
MD5:1DD88F67F029710D5C5858A6293A93F1
SHA256:B5DAD33CEB6EB1AC2A05FBDA76E29A73038403939218A88367925C3A20C05532
3080Engine.exeC:\Users\admin\AppData\Local\Temp\npgtkcrh.jvv\Thousands.cdabinary
MD5:36F5C4696F54A98E1BF256DF033E34CF
SHA256:656AF4BEE6B89094A6828394BF7EA26058ABF5186AB606B15440AC1B33FDADCD
1328c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exeC:\Users\admin\AppData\Local\Temp\SETUP_10716\1.qspini
MD5:78BD4C4A2EB54E8AACBEF7272BF98604
SHA256:374639557505F85EEED45819C510A53C38C0418F21A43C1FE6D7C753E04098F9
1328c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exeC:\Users\admin\AppData\Local\Temp\SETUP_10716\00000#Pools.cdatext
MD5:5DD1213377CE2F40B914C5EA22166B55
SHA256:D7909FD46FABE766CB531A7CB0E23243C40C8F60918C7DD68612734606CE5EC7
1328c870025f693df5311e58f7213b426f7ec204e21255a4737723bf5efe24ff72de.exeC:\Users\admin\AppData\Local\Temp\SETUP_10716\Engine.exeexecutable
MD5:E57156DAAD46C61A0395DF1FDBADC766
SHA256:DCA85F4607B1535BD9DAAD75F57646B53D2B7E2A381A2306AB62CCE0E61B1A35
3080Engine.exeC:\Users\admin\AppData\Local\Temp\npgtkcrh.jvv\Pools.cdatext
MD5:5DD1213377CE2F40B914C5EA22166B55
SHA256:D7909FD46FABE766CB531A7CB0E23243C40C8F60918C7DD68612734606CE5EC7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3092
jsc.exe
GET
200
5.132.162.27:80
http://eth0.me/
AT
text
13 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3092
jsc.exe
65.109.85.189:15648
Hetzner Online GmbH
FI
unknown
3092
jsc.exe
5.132.162.27:80
eth0.me
interneX GmbH
AT
unknown

DNS requests

Domain
IP
Reputation
dvMkRllBVggUGyO.dvMkRllBVggUGyO
unknown
eth0.me
  • 5.132.162.27
unknown

Threats

No threats detected
No debug info