analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

odbcad32

Full analysis: https://app.any.run/tasks/deca6bb0-e89e-45a5-81b6-c10c0f399210
Verdict: Malicious activity
Analysis date: January 18, 2020, 11:23:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

70CFF7C176C7DF265A808AA52DAF6F34

SHA1:

045D65B51FC3C0A051C038F8E19421798011F692

SHA256:

CAA46C001C3180EB7FDD5E5CBF7D084B75B7BDF72E61E06430A88378604A25EB

SSDEEP:

49152:FP2O39Y1FN8zbAGWinOmp66V3H55eObRx:FOO39SN8zbzlZp66V3HPeE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates or modifies windows services

      • rundll32.exe (PID: 2896)

    • Starts NET.EXE for service management

      • odbcad32.exe (PID: 3428)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 2896)
      • svchost.exe (PID: 2172)

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • odbcad32.exe (PID: 3428)

    • Executable content was dropped or overwritten

      • odbcad32.exe (PID: 3428)

    • Creates files in the Windows directory

      • odbcad32.exe (PID: 3428)
      • svchost.exe (PID: 2172)

    • Creates files in the driver directory

      • svchost.exe (PID: 2172)

    • Starts CMD.EXE for commands execution

      • odbcad32.exe (PID: 3428)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:01 04:25:45+01:00
PEType: PE32
LinkerVersion: 2.52
CodeSize: 28908
InitializedDataSize: 1105920
UninitializedDataSize: 2588
EntryPoint: 0x63ee4
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.1.7600.16385
ProductVersionNumber: 6.1.7600.16385
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: ODBC Administrator
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
InternalName: odbcad32.exe
LegalCopyright: ? Microsoft Corporation. All rights reserved.
OriginalFileName: odbcad32.exe
ProductName: Microsoft? Windows? Operating System
ProductVersion: 6.1.7600.16385

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Jan-1970 03:25:45

DOS Header

Magic number: MZ
Bytes on last page of file: 0x000A
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00C0
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 01-Jan-1970 03:25:45
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000070EC
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.data
0x00009000
0x0000101C
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.link
0x0000B000
0x00000B32
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.UPX0
0x0000C000
0x00055B84
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.tls
0x00062000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.UPX1
0x00063000
0x00197E15
0x00198000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.82804
.rloc
0x001FB000
0x00000168
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.08307
.rsrc
0x001FC000
0x0010C634
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.5402

Imports

COMCTL32.DLL
GDI32.DLL
KERNEL32.DLL
OLE32.DLL
OLEAUT32.DLL
SHLWAPI.DLL
USER32.DLL
WS2_32.DLL
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start odbcad32.exe no specs odbcad32.exe net.exe no specs net1.exe no specs rundll32.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
640"C:\Users\admin\AppData\Local\Temp\odbcad32.exe" C:\Users\admin\AppData\Local\Temp\odbcad32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ODBC Administrator
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3428"C:\Users\admin\AppData\Local\Temp\odbcad32.exe" C:\Users\admin\AppData\Local\Temp\odbcad32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ODBC Administrator
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1532net stop "Remote Registry Configuration"C:\Windows\system32\net.exeodbcad32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2480C:\Windows\system32\net1 stop "Remote Registry Configuration"C:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2896C:\Windows\System32\rundll32.exe "C:\Windows\system32\odbccx32.dll",InstallC:\Windows\System32\rundll32.exeodbcad32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3284net start "Remote Registry Configuration"C:\Windows\system32\net.exeodbcad32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1724C:\Windows\system32\net1 start "Remote Registry Configuration"C:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2396cmd /c C:\Users\admin\AppData\Local\Temp\pKHTGCmdoO.batC:\Windows\system32\cmd.exeodbcad32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2172C:\Windows\System32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
18
Read events
13
Write events
5
Delete events
0

Modification events

(PID) Process:(3428) odbcad32.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\WDigest
Operation:writeName:UseLogonCredential
Value:
1
(PID) Process:(2896) rundll32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Operation:writeName:netsvcs
Value:
AeLookupSvc
(PID) Process:(2896) rundll32.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvc_c4ba3647
Operation:writeName:Description
Value:
@regsvc.dll,-2
(PID) Process:(2896) rundll32.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvc_c4ba3647\Parameters
Operation:writeName:ServiceDll
Value:
C:\Windows\system32\odbccx32.dll
(PID) Process:(2896) rundll32.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\netsvc_c4ba3647\Parameters
Operation:writeName:ServiceDllUnloadOnStop
Value:
0
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3428odbcad32.exeC:\Users\admin\AppData\Local\Temp\pKHTGCmdoO.bat
MD5:
SHA256:
3428odbcad32.exeC:\Windows\system32\odbccx32.dllexecutable
MD5:A9C2FF438C73E865624EEB0763235A14
SHA256:1CC3978D3764C421A4AC810978F3D9E3F606C8EE7C79A7395D49B33AAE16A601
2172svchost.exeC:\Windows\system32\drivers\autochk.sysexecutable
MD5:7520EC808E0C35E0EE6F841294316653
SHA256:6EC65511B4838A7172A8F89E35C2F9DF4F0BFCE3BE12EDA790F3EB567102FF67
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2172
svchost.exe
77.73.69.38:53
yofeopxuuehixwmj.redhatupdater.com
OOO Fishnet Communications
RU
unknown
2172
svchost.exe
77.73.69.38:80
yofeopxuuehixwmj.redhatupdater.com
OOO Fishnet Communications
RU
unknown

DNS requests

Domain
IP
Reputation
yofeopxuuehixwmj.redhatupdater.com
  • 77.73.69.38
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
odbcad32