analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

IE8-WindowsXP-x86-ENU.exe

Full analysis: https://app.any.run/tasks/e0849901-7004-4ad5-bcf9-a6acc9de6e5b
Verdict: Malicious activity
Analysis date: May 29, 2020, 20:44:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A0669F24031E77EB72260D99579951DA

SHA1:

FAB0A37F74696182D9B07A5B5EEEBA116737090F

SHA256:

CAEF5C8ECA5768B94E673E5A98B766A935EBCD69E5351F2715EB4EBF24D59F19

SSDEEP:

393216:oPsh3JzzE90a6Ehhjylqp+kXxnBcqQyjqTTQMhfPV/L:Ks5Jzz/Ehhj6qUkXxBL/C8uj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • iesetup.exe (PID: 1400)
    • Application was dropped or rewritten from another process

      • iesetup.exe (PID: 1400)
      • iesetup.exe (PID: 960)
    • Changes settings of System certificates

      • iesetup.exe (PID: 1400)
  • SUSPICIOUS

    • Creates files in the Windows directory

      • iesetup.exe (PID: 1400)
    • Creates executable files which already exist in Windows

      • IE8-WindowsXP-x86-ENU.exe (PID: 2868)
    • Executable content was dropped or overwritten

      • IE8-WindowsXP-x86-ENU.exe (PID: 2868)
    • Adds / modifies Windows certificates

      • iesetup.exe (PID: 1400)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • IE8-WindowsXP-x86-ENU.exe (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | MS generic-sfx Cabinet File Unpacker (32/64bit MSCFU) (80.1)
.exe | Win32 Executable MS Visual C++ (generic) (7.1)
.exe | Win64 Executable (generic) (6.3)
.scr | Windows screen saver (2.9)
.dll | Win32 Dynamic Link Library (generic) (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2005:06:28 18:55:01+02:00
PEType: PE32
LinkerVersion: 7.1
CodeSize: 31232
InitializedDataSize: 72704
UninitializedDataSize: -
EntryPoint: 0x5a45
OSVersion: 5.2
ImageVersion: 5.2
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.2.29.0
ProductVersionNumber: 6.2.29.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Self-Extracting Cabinet
FileVersion: 6.2.0029.0 (SRV03_QFE.031113-0918)
InternalName: SFXCAB.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: SFXCAB.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.2.0029.0

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 28-Jun-2005 16:55:01
Detected languages:
  • English - United States
Debug artifacts:
  • db
CompanyName: Microsoft Corporation
FileDescription: Self-Extracting Cabinet
FileVersion: 6.2.0029.0 (SRV03_QFE.031113-0918)
InternalName: SFXCAB.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: SFXCAB.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.2.0029.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 28-Jun-2005 16:55:01
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_NET_RUN_FROM_SWAP
  • IMAGE_FILE_RELOCS_STRIPPED
  • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x00007982
0x00007A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.61008
.data
0x0000A000
0x000110D4
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.509584
.rsrc
0x0001C000
0x00000988
0x00E63800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.99977

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.5279
904
UNKNOWN
English - United States
RT_VERSION
100
3.0946
282
UNKNOWN
English - United States
RT_DIALOG
107
2.9591
224
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
msvcrt.dll
ntdll.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start ie8-windowsxp-x86-enu.exe iesetup.exe no specs iesetup.exe

Process information

PID
CMD
Path
Indicators
Parent process
2868"C:\Users\admin\AppData\Local\Temp\IE8-WindowsXP-x86-ENU.exe" C:\Users\admin\AppData\Local\Temp\IE8-WindowsXP-x86-ENU.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Self-Extracting Cabinet
Exit code:
7
Version:
6.2.0029.0 (SRV03_QFE.031113-0918)
960c:\6358e45594b9a54102f67819\update\iesetup.exec:\6358e45594b9a54102f67819\update\iesetup.exeIE8-WindowsXP-x86-ENU.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Internet Explorer 8 Setup Utility
Exit code:
3221226540
Version:
8.00.6001.17184 (longhorn_ie8_beta1(wmbla).080303-1908)
1400c:\6358e45594b9a54102f67819\update\iesetup.exec:\6358e45594b9a54102f67819\update\iesetup.exe
IE8-WindowsXP-x86-ENU.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Internet Explorer 8 Setup Utility
Exit code:
7
Version:
8.00.6001.17184 (longhorn_ie8_beta1(wmbla).080303-1908)
Total events
1 205
Read events
7
Write events
0
Delete events
0

Modification events

No data
Executable files
113
Suspicious files
5
Text files
16
Unknown types
9

Dropped files

PID
Process
Filename
Type
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\ieakmmc.chmchm
MD5:B2AA9E67DA4EDF5AEB80B21E426E7D64
SHA256:EB02AB555F8C4B47B45438B98B05054E4BF09D562E0E8F7EBE0C69F31EFF2C03
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\ieapfltr.dllexecutable
MD5:F1AE2A724B314A56CB6F5BDC7C2DB5C6
SHA256:42B020B904AA4147BFCD109EA9E7CD203BB91E2BE810D9F1047DCCF78736D9B9
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\ieapfltr.datexecutable
MD5:BA23EEECE60500D1391044F9ADEF3CBF
SHA256:AB92E15F9BFB1D691FFEF7FAD7CA4B7511C279FDDCCFBA346D6D443B223357FC
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\dxtrans.dllexecutable
MD5:18C82D51FFEE41A96B59E3C665315B82
SHA256:3A96D99B7F6199C6F5AE4F023E464A4AD2A9A0A63B365D5F087DB7551353787E
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\advpack.dllexecutable
MD5:170FD8C49DBDE19B5798F0E621030D10
SHA256:22FC931691E1B622E326E70C135EEFAF84201BA2E83BF700AB8E6CDA8C1C6957
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\admparse.dllexecutable
MD5:0075060C2AB9800C6E2BD5EE2BBC01FF
SHA256:3E8737D12F8260B99325290F622D21A02AE7C94FF62FC064943257DB9E653ECC
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\icardie.dllexecutable
MD5:2102870C88849851AA2CB56AF03C95E6
SHA256:EE1848E46FF598476D3ACFF4DC488E2B2506F18C801A5A2BDF69700A2E7E0E09
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\ieaksie.dllexecutable
MD5:1D1B0C48F04AB1772A003E82E21F0B7C
SHA256:D3885EEFFEE486B8293BEEFFFE75A7750FE92F29EB25C72C84A9B0A02F57715F
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\inetcpl.cplexecutable
MD5:58E1184192AC671BB85AD14659CD7439
SHA256:D00B1060F672EFFAF3D6FBC3DB24B767F6D932C57E7300442D46181C9292E3FE
2868IE8-WindowsXP-x86-ENU.exeC:\6358e45594b9a54102f67819\inetres.admtext
MD5:A38FE89DFA3895E6670EEA547942A7F7
SHA256:0E6F12ED49522E62CC9B440AACDBD53F6832C52DEC0B3A47D68DDAF158D75A31
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info