File name:

Unis.exe

Full analysis: https://app.any.run/tasks/765891a1-21da-46d6-9d6e-7f63c38d3152
Verdict: Malicious activity
Analysis date: May 31, 2024, 13:22:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

E72088233E9D7D1D9826A35604C49FD7

SHA1:

FA8A5990E2E1B7FB8E23AF3AE54BE58FCE2125C2

SHA256:

D2E3B68594BA8A21EB03056554DCC6ED43030E6E2969CAEF6F205FE86390339C

SSDEEP:

24576:dwMaKYUcTqan0p4Vm7hTG/0ObcPljW3xyK6yvAWHLqTAI0NkwDRLE:dwfvUcTqanw4Vm7hTG/0ObcPljW3xyT7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Unis.exe (PID: 2104)
      • GoUnis.exe (PID: 2028)
      • cmd.exe (PID: 1184)

    • Create files in the Startup directory

      • cmd.exe (PID: 1184)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • Unis.exe (PID: 2104)
      • GoUnis.exe (PID: 2028)

    • Starts CMD.EXE for commands execution

      • Unis.exe (PID: 2104)
      • GoUnis.exe (PID: 2028)

    • Executable content was dropped or overwritten

      • Unis.exe (PID: 2104)
      • GoUnis.exe (PID: 2028)
      • cmd.exe (PID: 1184)

    • The executable file from the user directory is run by the CMD process

      • GoUnis.exe (PID: 2028)
      • mbr.exe (PID: 1764)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1064)
      • cmd.exe (PID: 1184)

    • Reads the Internet Settings

      • GoUnis.exe (PID: 2028)
      • msdt.exe (PID: 2012)

    • Reads security settings of Internet Explorer

      • GoUnis.exe (PID: 2028)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1184)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1184)

  • INFO

    • Reads the computer name

      • Unis.exe (PID: 2104)
      • GoUnis.exe (PID: 2028)

    • Checks supported languages

      • Unis.exe (PID: 2104)
      • GoUnis.exe (PID: 2028)
      • mbr.exe (PID: 1764)

    • Create files in a temporary directory

      • Unis.exe (PID: 2104)
      • GoUnis.exe (PID: 2028)
      • msdt.exe (PID: 2012)

    • Creates files or folders in the user directory

      • Unis.exe (PID: 2104)
      • GoUnis.exe (PID: 2028)

    • Manual execution by a user

      • regedit.exe (PID: 1132)
      • taskmgr.exe (PID: 2328)
      • regedit.exe (PID: 2236)
      • msdt.exe (PID: 2012)
      • explorer.exe (PID: 2656)

    • Reads security settings of Internet Explorer

      • msdt.exe (PID: 2012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:30 08:52:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 70656
InitializedDataSize: 842240
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
FileVersionNumber: 3.6.5.4
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: Debug, Pre-release, Private build
FileOS: Windows 16-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileVersion: 3.6.5.4
ProductVersion: 4.2.2
ProductName: Unis
FileDescription: Science
LegalCopyright: Copyright © 2022 System64Intel
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
52
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start unis.exe cmd.exe no specs gounis.exe timeout.exe no specs cmd.exe reg.exe no specs reg.exe no specs reg.exe no specs mbr.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs regedit.exe no specs regedit.exe taskmgr.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs explorer.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs taskkill.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs timeout.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs msdt.exe no specs unis.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524timeout /t 10C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
600taskkill /im gameyure.exe /fC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1008timeout /t 25C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1060timeout /t 10C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1064"C:\Windows\system32\cmd" /c "C:\Users\admin\AppData\Local\Temp\4344.tmp\4345.tmp\4346.bat C:\Users\admin\Desktop\Unis.exe"C:\Windows\System32\cmd.exeUnis.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1112reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1132"C:\Windows\regedit.exe" C:\Windows\regedit.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
1184"C:\Windows\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\667C.tmp\667D.tmp\667E.bat C:\Users\admin\AppData\Roaming\GoUnis.exe"C:\Windows\System32\cmd.exe
GoUnis.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1628timeout /t 5C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
1652timeout /t 10C:\Windows\System32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
Total events
3 332
Read events
3 314
Write events
18
Delete events
0

Modification events

(PID) Process:(2028) GoUnis.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2028) GoUnis.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2028) GoUnis.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2028) GoUnis.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1112) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
(PID) Process:(2204) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:disableregistrytools
Value:
1
(PID) Process:(2012) msdt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2012) msdt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2012) msdt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2012) msdt.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
32
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2028GoUnis.exeC:\Users\admin\AppData\Roaming\Asterisk.exeexecutable
MD5:232A57B4C032887A85CAC1E82E372C02
SHA256:4753AD0F4174149BC8A68F57F9D0F2BF1F96047613A92136D7FBE9DF52516E3F
2028GoUnis.exeC:\Users\admin\AppData\Roaming\Block.exeexecutable
MD5:BA78D9B2BCC0DF8A78BD3EC81ECFBA4A
SHA256:BE03DC7957DDE60B64B0D4E5D649C0C68647FABF8396ED66137A3181CEF17913
2028GoUnis.exeC:\Users\admin\AppData\Roaming\uekarasuton.exeexecutable
MD5:6F65CED151EF0BAB1CD581D63D0E3AFC
SHA256:BF12AA570EBA439E7E362B8EB102F2AD3A073EE3B91ACB818310738F24538A36
2028GoUnis.exeC:\Users\admin\AppData\Roaming\Question.exeexecutable
MD5:79AFB736BE1A6A0C6207C5F0B93A406B
SHA256:2C1546A62A57A256438070DC4551CDAF9EF1EA74DAB3DED1373ECCF1EDCE4EA7
2028GoUnis.exeC:\Users\admin\AppData\Roaming\toke.exeexecutable
MD5:AF197F2D670CD2C28EF2FA815EEA17F6
SHA256:D99D0A7C9B0A9FF8B9F6A791D7DF0F2CD9BD191DC2875C676ECBB3314BEC91FE
2028GoUnis.exeC:\Users\admin\AppData\Roaming\Unis.battext
MD5:F6D4F889130CF1215E5C4A8194CC579B
SHA256:902F4D49F6173776A8D1E2D013673BB105F1CCA5B8329063F92CE865DAB28167
2028GoUnis.exeC:\Users\admin\AppData\Roaming\hageRGB.exeexecutable
MD5:C147F1C5F93C872182A69DCC222ED554
SHA256:B446DD815EE9D23CEDDA8C08798041FE1FF52C0316B7FB701BE9AB341466839E
2028GoUnis.exeC:\Users\admin\AppData\Roaming\irohanten.exeexecutable
MD5:796608BD05FB7DEC0E2880D356E60D4B
SHA256:F18C48A47C5DB78D97574FC519A7F6F77DD44D91595C8C162D523B25276157D5
2028GoUnis.exeC:\Users\admin\AppData\Roaming\kunekunero-do.exeexecutable
MD5:8D10FFB8A4C3BFE0DA54C7645D13BC31
SHA256:A79FB20FBC08FDDFA8B9F52A5E9D3F5610A65ECABEFEC632AD077A64EF4FD086
2104Unis.exeC:\Users\admin\AppData\Local\Temp\4344.tmp\4345.tmp\4346.battext
MD5:C645904EFC201E9CC2660D251A08F3CB
SHA256:4E254EC30432A08D7A2A11ED188BD017FD555BD998C7233C1F444541FAC5001B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Unis.exe