analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

qh2.exe

Full analysis: https://app.any.run/tasks/fd50a850-6945-45a6-917a-687662597647
Verdict: Malicious activity
Analysis date: May 24, 2019, 13:24:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F79A6FC6DD8C41FCFD58A90E72921A6E

SHA1:

DF6C66360DE2DCEB93545825B4F88E52E51C7DE3

SHA256:

CDCE3149A002151500FF50888F7A1E916A3A9862CF1203F91F5F7D4F684470FD

SSDEEP:

98304:dvQoHw0APe24gD2lIISdzy7Zlhc8DozIq5bC:DHwEkqSd0ZlDGbC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • qh.exe (PID: 3576)
      • qh2.exe (PID: 3116)
      • qh2.exe (PID: 2996)

  • SUSPICIOUS

    • Application launched itself

      • qh2.exe (PID: 2996)

    • Low-level read access rights to disk partition

      • qh.exe (PID: 3576)
      • qh2.exe (PID: 3116)

    • Starts itself from another location

      • qh2.exe (PID: 3116)

    • Reads internet explorer settings

      • qh.exe (PID: 3576)

    • Creates files in the user directory

      • qh2.exe (PID: 3116)
      • qh.exe (PID: 3576)

    • Executable content was dropped or overwritten

      • qh2.exe (PID: 2996)
      • qh2.exe (PID: 3116)

    • Changes IE settings (feature browser emulation)

      • qh2.exe (PID: 2996)
      • qh2.exe (PID: 3116)
      • qh.exe (PID: 3576)

    • Reads Internet Cache Settings

      • qh.exe (PID: 3576)

    • Creates a software uninstall entry

      • qh2.exe (PID: 3116)

    • Creates files in the program directory

      • qh2.exe (PID: 3116)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

ProductVersion: 2.2.0.1001
ProductName: 游戏微端
OriginalFileName: LiteGameBox2
LegalCopyright: 版权所有 (C) 2008-2019 www.ludashi.com
InternalName: LiteGameBox2_externel
FileVersion: 2.2.0.1001
FileDescription: 游戏微端
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 2.2.0.1001
FileVersionNumber: 2.2.0.1001
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0xa23f9
UninitializedDataSize: -
InitializedDataSize: 2326528
CodeSize: 937472
LinkerVersion: 14.14
PEType: PE32
TimeStamp: 2019:05:08 11:56:50+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 08-May-2019 09:56:50
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • C:\vmagent_new\bin\joblist\346513\out\Release\LiteGameBox2.pdb
FileDescription: 游戏微端
FileVersion: 2.2.0.1001
InternalName: LiteGameBox2_externel
LegalCopyright: 版权所有 (C) 2008-2019 www.ludashi.com
OriginalFilename: LiteGameBox2
ProductName: 游戏微端
ProductVersion: 2.2.0.1001

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000168

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 08-May-2019 09:56:50
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000E4CCB
0x000E4E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.5759
.rdata
0x000E6000
0x00036E08
0x00037000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.23437
.data
0x0011D000
0x0000900C
0x00006000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.55408
.rsrc
0x00127000
0x001ED570
0x001ED600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.48417
.reloc
0x00315000
0x0000D964
0x0000DA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.55425

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.3298
822
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.96223
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
5.93358
2440
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
5.78979
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
8
1.47716
44
Latin 1 / Western European
Chinese - PRC
RT_STRING
9
0.545897
36
Latin 1 / Western European
Chinese - PRC
RT_STRING
121
2.62308
62
Latin 1 / Western European
Chinese - PRC
RT_GROUP_ICON
126
7.99661
879703
Latin 1 / Western European
Chinese - PRC
ZIPRES
129
6.70078
883016
Latin 1 / Western European
Chinese - PRC
FILERES
131
6.70347
236872
Latin 1 / Western European
Chinese - PRC
FILERES

Imports

ADVAPI32.dll
COMCTL32.dll
CRYPT32.dll
GDI32.dll
IMM32.dll
IPHLPAPI.DLL
KERNEL32.dll
MSIMG32.dll
OLEAUT32.dll
PSAPI.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start qh2.exe qh2.exe qh.exe

Process information

PID
CMD
Path
Indicators
Parent process
2996"C:\Users\admin\AppData\Local\Temp\qh2.exe" C:\Users\admin\AppData\Local\Temp\qh2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
游戏微端
Exit code:
0
Version:
2.2.0.1001
3116"C:\Users\admin\AppData\Local\Temp\qh2.exe" --norunasC:\Users\admin\AppData\Local\Temp\qh2.exe
qh2.exe
User:
admin
Integrity Level:
HIGH
Description:
游戏微端
Exit code:
0
Version:
2.2.0.1001
3576"C:\Users\admin\AppData\Roaming\LiteGameBox_qh\qh.exe" C:\Users\admin\AppData\Roaming\LiteGameBox_qh\qh.exe
qh2.exe
User:
admin
Integrity Level:
HIGH
Description:
游戏微端
Exit code:
0
Version:
2.2.0.1001
Total events
933
Read events
862
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
3
Text files
25
Unknown types
5

Dropped files

PID
Process
Filename
Type
3116qh2.exeC:\Users\admin\AppData\Local\Temp\LiteGameBox_qh\qh.uicompressed
MD5:4315AABBC3F8BCB53FBD80F2FFCC5937
SHA256:DC3A5400FA8B558B6C7079BA70E8282F53CAED542EDDFFE12CEA686601CA2B9E
3576qh.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\index[1].htmlhtml
MD5:A3D1F63F9F07200D9CDB11E85A100177
SHA256:3DFB911DCDA135A4D1DF8B261E0B742BFFDCA40849BD4A2F1ECC90303FB10D21
3116qh2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_qh\qh.jsontext
MD5:01CE0B28457615ED2A061D60EF959E98
SHA256:108E55840C843C091EAF8A533B675C10C790DCA652C980C593F464B6594FAB35
3116qh2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_qh\qh.icoimage
MD5:DD42A27286AFDAA96D4E099C48710D49
SHA256:C30A71100F770959E92390DAC3CBF9ECBEF7F6A46BBF89A723F1F60977C620EE
3576qh.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\bg[1].jpgimage
MD5:582D10D1D8C2505AA80661795888464D
SHA256:5F5D58121C594FE4315A382454265E95AE822466CE6DA3D770BB6140FE7FE112
3116qh2.exeC:\Users\Public\Desktop\枪魂.lnklnk
MD5:D592062AFDF5FE1E8500817A4B96566C
SHA256:0A3322956FDF262DC97D42662D75FE478F207234FF20109D29E913D415401399
3116qh2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_qh\qh.uicompressed
MD5:4315AABBC3F8BCB53FBD80F2FFCC5937
SHA256:DC3A5400FA8B558B6C7079BA70E8282F53CAED542EDDFFE12CEA686601CA2B9E
3116qh2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_qh\枪魂.lnklnk
MD5:156321441FA6AE63F44F72EE6417A32C
SHA256:44ACD6CC8C726DADB6808006D4C5F6A3E9D7B3BB7EE10145346D759FC5746A26
3576qh.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\index[1].csstext
MD5:1A38CBFCAF0BCFAAEB1E1912E6406F74
SHA256:41694C21F327DF3C4CCF74B341CF466124C8D543260442DDE6B61F1181CD6CD9
3576qh.exeC:\Users\admin\AppData\Local\Temp\LiteGameBox2Run_qh\qh.uicompressed
MD5:4315AABBC3F8BCB53FBD80F2FFCC5937
SHA256:DC3A5400FA8B558B6C7079BA70E8282F53CAED542EDDFFE12CEA686601CA2B9E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
10
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3576
qh.exe
GET
200
122.228.4.188:80
http://cdn-file.ludashi.com/wan/micro/qh/assets/bg.jpg
CN
image
37.8 Kb
suspicious
3576
qh.exe
GET
200
122.228.4.188:80
http://cdn-file.ludashi.com/wan/micro/qh/assets/font_hover.png
CN
image
1.57 Kb
suspicious
3576
qh.exe
GET
200
122.228.4.188:80
http://cdn-file.ludashi.com/wan/micro/qh/assets/abcdedf.png
CN
image
57.4 Kb
suspicious
3576
qh.exe
GET
200
122.228.4.188:80
http://cdn-file.ludashi.com/wan/micro/qh/assets/index.css?t=1
CN
text
1.49 Kb
suspicious
3576
qh.exe
GET
200
139.129.105.182:80
http://wan.ludashi.com/micro/qh/index.html?channel=tp&from=tp_wd
CN
html
3.00 Kb
unknown
3576
qh.exe
GET
200
122.228.4.188:80
http://cdn-file.ludashi.com/wan/micro/qh/assets/anc_bg.png
CN
image
6.45 Kb
suspicious
3576
qh.exe
GET
200
103.235.46.191:80
http://hm.baidu.com/hm.js?0bd99deb4f87764a2c6f514484a00ed3
HK
text
11.5 Kb
whitelisted
3576
qh.exe
GET
200
122.228.4.188:80
http://cdn-file.ludashi.com/wan/micro/qh/assets/box_bg.png
CN
image
6.79 Kb
suspicious
3576
qh.exe
GET
200
122.228.4.188:80
http://cdn-file.ludashi.com/wan/micro/qh/assets/index.css?t=1
CN
text
1.49 Kb
suspicious
3576
qh.exe
GET
200
125.77.142.201:80
http://cdn-wan.ludashi.com/assets/superjs/config.js?v=20190228
CN
text
995 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3576
qh.exe
139.129.105.182:80
wan.ludashi.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3576
qh.exe
54.230.93.187:443
s0.ssl.qhimg.com
Amazon.com, Inc.
US
unknown
3576
qh.exe
122.228.4.188:80
cdn-file.ludashi.com
CHINANET Sichuan province Chengdu MAN network
CN
unknown
3576
qh.exe
125.77.142.201:80
cdn-wan.ludashi.com
No.31,Jin-rong Street
CN
unknown
3576
qh.exe
120.27.82.56:80
i.ludashi.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3576
qh.exe
103.235.46.191:80
hm.baidu.com
Beijing Baidu Netcom Science and Technology Co., Ltd.
HK
suspicious

DNS requests

Domain
IP
Reputation
wan.ludashi.com
  • 139.129.105.182
unknown
cdn-file.ludashi.com
  • 122.228.4.188
  • 122.228.4.220
  • 122.228.4.225
  • 122.228.4.189
  • 122.228.4.221
  • 122.228.4.224
  • 122.228.4.155
  • 122.228.4.197
suspicious
s0.ssl.qhimg.com
  • 54.230.93.187
  • 54.230.93.253
  • 54.230.93.25
  • 54.230.93.146
whitelisted
hm.baidu.com
  • 103.235.46.191
whitelisted
cdn-wan.ludashi.com
  • 125.77.142.201
suspicious
i.ludashi.com
  • 120.27.82.56
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
qh2.exe