analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7Tide.exe

Full analysis: https://app.any.run/tasks/b2fb68fa-2feb-4a3f-8e0f-3712dd4ad0ac
Verdict: Malicious activity
Analysis date: July 17, 2019, 13:57:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8AA2D9F2DE8B7D039FA5E86F7AEBA4D1

SHA1:

3640EF811B82E39012E229D2C90C9EDFB2385F58

SHA256:

C985F98AE9809268B7D4F7E45F73AAA681A0FAD23A7F302A9861EF8F5BD51052

SSDEEP:

393216:KlLmoiBUm5CWhf3G0XPlkdf7jxKqWMM4ekTS5abKa7DMcJDlS:siB7t9cDdO4ekpKI4cL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • 7Tide.exe (PID: 2532)
  • SUSPICIOUS

    • Creates files in the user directory

      • 7Tide.exe (PID: 2532)
    • Executable content was dropped or overwritten

      • 7Tide.exe (PID: 3916)
    • Loads Python modules

      • 7Tide.exe (PID: 2532)
    • Starts Internet Explorer

      • 7Tide.exe (PID: 2532)
    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3200)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • 7Tide.exe (PID: 3916)
    • Changes internet zones settings

      • iexplore.exe (PID: 236)
    • Creates files in the user directory

      • iexplore.exe (PID: 880)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3200)
      • iexplore.exe (PID: 2384)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 880)
      • iexplore.exe (PID: 2384)
    • Application launched itself

      • iexplore.exe (PID: 236)
    • Reads internet explorer settings

      • iexplore.exe (PID: 880)
      • iexplore.exe (PID: 2384)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 236)
    • Changes settings of System certificates

      • iexplore.exe (PID: 236)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:09:04 16:43:33+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 125952
InitializedDataSize: 427008
UninitializedDataSize: -
EntryPoint: 0x79d3
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-Sep-2018 14:43:33

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 04-Sep-2018 14:43:33
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001EB34
0x0001EC00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.64811
.rdata
0x00020000
0x0000B164
0x0000B200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.09995
.data
0x0002C000
0x0000E688
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.92387
.gfids
0x0003B000
0x000000B8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.83952
.rsrc
0x0003C000
0x0005AC4C
0x0005AE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.01416
.reloc
0x00097000
0x000017B4
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65332

Resources

Title
Entropy
Size
Codepage
Language
Type
0
2.55883
90
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON
1
5.67678
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
2
5.48315
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
3
5.27519
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
4
5.18499
16936
Latin 1 / Western European
UNKNOWN
RT_ICON
5
5.02954
67624
Latin 1 / Western European
UNKNOWN
RT_ICON
6
4.948
270376
Latin 1 / Western European
UNKNOWN
RT_ICON
7
6.39466
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
101
2.71858
104
Latin 1 / Western European
UNKNOWN
RT_GROUP_ICON

Imports

KERNEL32.dll
USER32.dll
WS2_32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 7tide.exe 7tide.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3916"C:\Users\admin\AppData\Local\Temp\7Tide.exe" C:\Users\admin\AppData\Local\Temp\7Tide.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
2532"C:\Users\admin\AppData\Local\Temp\7Tide.exe" C:\Users\admin\AppData\Local\Temp\7Tide.exe7Tide.exe
User:
admin
Integrity Level:
MEDIUM
236"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
7Tide.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
880"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:236 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3200C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
2384"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:236 CREDAT:6403C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
681
Read events
564
Write events
0
Delete events
0

Modification events

No data
Executable files
41
Suspicious files
1
Text files
43
Unknown types
10

Dropped files

PID
Process
Filename
Type
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\PySide\QtNetwork.pydexecutable
MD5:A0E1E452E3493F52CBB5BAD2428F82BE
SHA256:3D17DB6F0F98E924BACCDCA2EC598249827AD52C23E4499D4DE085827184975D
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\_bz2.pydexecutable
MD5:6C4CF137260AF88822EEFDDBCC37CA49
SHA256:79F89C7B725606B1577ACEE003A66CC3826C3DE8C101EF963C808B0CDECB266A
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\PySide\QtCore.pydexecutable
MD5:251D552AEC11049E679A2FB46AB7CC6E
SHA256:146638EE8E18F72031F350910A4334849337FB56091718846B3BFB54796C9A1F
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\QtOpenGL4.dllexecutable
MD5:4712A351ADED9BCE35730915CE00D92A
SHA256:651F866D7FD86E3DB1FB0989BBF372BDC4721F05899B2BD5666458EF13253FB1
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\QtNetwork4.dllexecutable
MD5:34127B8F45D53A06924E643A568CE023
SHA256:EECD54709058A30D86E05FF4F300AA9DF8C8AF2F86BCD06CA28C2AD2E4FF93C9
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\_hashlib.pydexecutable
MD5:53BB410856CCC7962E437FDC0D38B9B4
SHA256:5D1B4C2FCF08128C382E0F34230FD8065154819187380936D3874E299701986A
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\_lzma.pydexecutable
MD5:08825B41E9A6A64AEF4C8543AA2AA429
SHA256:05AF15186585CBD4AEBB099ACBFAACBD2F5E4B003B38257C23030E7F51192BEE
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\QtSql4.dllexecutable
MD5:B70C547FBB4B58E1634D670C02BC90A0
SHA256:9A8F359086C80593BCD92C395EC8B3A538203B6AD631430507EF11D97A27C8B0
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\QtCore4.dllexecutable
MD5:E9E7C750D68A053A0364DB25C7E3DB61
SHA256:D0E67ACC03B3706C2D413AC02EA28AC894940BB071F2AF34B6AF8238FF6E260D
39167Tide.exeC:\Users\admin\AppData\Local\Temp\_MEI39162\_ssl.pydexecutable
MD5:AD4379169BBCF4584370E5BC3615D694
SHA256:305ED0483A318BA2970BF99E56FBF5E693AD02E3B9C37FFADB4E93CC0FD9CDF0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
21
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
236
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
236
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
236
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
880
iexplore.exe
87.250.251.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
880
iexplore.exe
87.117.239.148:80
dl.drp.su
iomart Cloud Services Limited.
GB
malicious
880
iexplore.exe
87.117.239.151:80
dl.drp.su
iomart Cloud Services Limited.
GB
malicious
880
iexplore.exe
87.250.250.50:443
yadi.sk
YANDEX LLC
RU
whitelisted
236
iexplore.exe
87.250.250.50:443
yadi.sk
YANDEX LLC
RU
whitelisted
2384
iexplore.exe
89.163.246.44:443
igtools.net
myLoc managed IT AG
DE
unknown
2384
iexplore.exe
23.111.9.64:443
cdn.materialdesignicons.com
netDNA
US
unknown
2384
iexplore.exe
23.111.8.154:443
oss.maxcdn.com
netDNA
US
unknown

DNS requests

Domain
IP
Reputation
dl.drp.su
  • 87.117.239.151
  • 87.117.239.148
  • 88.150.137.207
  • 95.154.237.19
  • 87.117.239.150
  • 87.117.231.157
  • 81.94.192.167
  • 81.94.205.66
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
yadi.sk
  • 87.250.250.50
shared
mc.yandex.ru
  • 87.250.251.119
  • 77.88.21.119
  • 87.250.250.119
  • 93.158.134.119
whitelisted
igtools.net
  • 89.163.246.44
unknown
cdn.materialdesignicons.com
  • 23.111.9.64
malicious
www.googletagmanager.com
  • 172.217.16.200
whitelisted
oss.maxcdn.com
  • 23.111.8.154
whitelisted
fonts.googleapis.com
  • 172.217.22.74
whitelisted
fonts.gstatic.com
  • 216.58.206.3
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
No debug info