analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

pe.exe

Full analysis: https://app.any.run/tasks/17cafc2e-ce76-4a40-b939-f6a165e9d66b
Verdict: Malicious activity
Analysis date: July 12, 2020, 21:32:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DE78BB1A9E9C6155BEC18582CB21D6C7

SHA1:

23597CF146AE22A57E3956B8E5DFBC3FE28098CE

SHA256:

CE0DC68F7DE21DFA0B67B3E25EE6F88CE885E505F0DBA4B1DAFD51AE03FE46A1

SSDEEP:

24576:z8F7Ak1vw4FeahWCsMxFe7wmxHRNVT7XFRahWovMxFz70m/H2VmTay:z8Tca8MepVha8Lzl/d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2812)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • pe.exe (PID: 2088)
      • pe.bat (PID: 3932)
    • Starts application with an unusual extension

      • pe.exe (PID: 2088)
    • Suspicious files were dropped or overwritten

      • pe.exe (PID: 2088)
    • Starts itself from another location

      • pe.exe (PID: 2088)
    • Starts CMD.EXE for commands execution

      • pe.bat (PID: 3932)
    • Creates files in the user directory

      • powershell.exe (PID: 668)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 1.7
ProductName: BAT2EXE
OriginalFileName: bat2exe.exe
LegalCopyright: Islam Adel
InternalName: bat2exe.exe
FileVersion: 1.7
FileDescription: Created by BAT2EXE.net
CompanyName: Islam Adel
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.7.0.0
FileVersionNumber: 1.7.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x167d2
UninitializedDataSize: -
InitializedDataSize: 43008
CodeSize: 93184
LinkerVersion: 6
PEType: PE32
TimeStamp: 2016:10:04 17:12:31+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-Oct-2016 15:12:31
Detected languages:
  • English - United States
CompanyName: Islam Adel
FileDescription: Created by BAT2EXE.net
FileVersion: 1.7
InternalName: bat2exe.exe
LegalCopyright: Islam Adel
OriginalFilename: bat2exe.exe
ProductName: BAT2EXE
ProductVersion: 1.7

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 04-Oct-2016 15:12:31
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00016BC5
0x00016C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.63827
.rdata
0x00018000
0x00003814
0x00003A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.23725
.data
0x0001C000
0x00002430
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.87468
.sxdata
0x0001F000
0x00000004
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x00020000
0x000044FC
0x00004600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.90843

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.93201
848
UNKNOWN
English - United States
RT_MANIFEST
2
6.01638
4264
UNKNOWN
English - United States
RT_ICON
3
5.70086
1128
UNKNOWN
English - United States
RT_ICON
97
3.04857
184
UNKNOWN
English - United States
RT_DIALOG
188
2.17822
84
UNKNOWN
English - United States
RT_STRING
207
1.43775
52
UNKNOWN
English - United States
RT_STRING

Imports

KERNEL32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start pe.exe pe.bat cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2088"C:\Users\admin\AppData\Local\Temp\pe.exe" C:\Users\admin\AppData\Local\Temp\pe.exe
explorer.exe
User:
admin
Company:
Islam Adel
Integrity Level:
MEDIUM
Description:
Created by BAT2EXE.net
Exit code:
0
Version:
1.7
3932"C:\Users\admin\AppData\Local\Temp\7zS8288EAA6\pe.bat" C:\Users\admin\AppData\Local\Temp\7zS8288EAA6\pe.bat
pe.exe
User:
admin
Company:
Islam Adel
Integrity Level:
MEDIUM
Description:
Created by BAT2EXE.net
Exit code:
0
Version:
1.7
2812cmd /c ""C:\Users\admin\AppData\Local\Temp\7zSC5FCE6B6\pe.bat" "C:\Windows\system32\cmd.exepe.bat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
4294770688
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
668powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlA$C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294770688
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
990
Read events
927
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
668powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\24OQE941E2PUUWZFIC8D.temp
MD5:
SHA256:
3932pe.batC:\Users\admin\AppData\Local\Temp\7zSC5FCE6B6\pe.battext
MD5:6C489257353122BF2D7E5215D6F18257
SHA256:4AB2190C3900185EB7040E280B1404345FAAC5B9B56420FF71E899725BC98F66
668powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF168e5a.TMPbinary
MD5:1E90447D6420E49907C88DAEEC8BED05
SHA256:9FE71CFB47F0331094D9EF67424CBE92C8C52B7CBCE21ED256020E30E2A758C5
2088pe.exeC:\Users\admin\AppData\Local\Temp\7zS8288EAA6\pe.batexecutable
MD5:196C17CC02CC0B71F8353A0E21BB5418
SHA256:6EDD5B884BE70FD3506CD9E9502E7DDAB2B68151B6473A95D4D0BF80B93E89FC
3932pe.batC:\Users\admin\AppData\Local\Temp\7zSC5FCE6B6\bat2exe.exeexecutable
MD5:127F2FD9512451EF0E6350FE2AB3235B
SHA256:26994DBA49E6FDF0290AEB47971C4D3F81BDCA838A4A4B313A5C0442CD792845
668powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:1E90447D6420E49907C88DAEEC8BED05
SHA256:9FE71CFB47F0331094D9EF67424CBE92C8C52B7CBCE21ED256020E30E2A758C5
2088pe.exeC:\Users\admin\AppData\Local\Temp\7zS8288EAA6\bat2exe.exeexecutable
MD5:127F2FD9512451EF0E6350FE2AB3235B
SHA256:26994DBA49E6FDF0290AEB47971C4D3F81BDCA838A4A4B313A5C0442CD792845
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info