analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NEW RELEASE.exe

Full analysis: https://app.any.run/tasks/5ef98c54-e898-4587-8c39-89a595ecc3f2
Verdict: Malicious activity
Analysis date: February 11, 2019, 09:58:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

FD795AA8E5FB45F117EE4FEAF5A4E2FA

SHA1:

D196A77195290EF214E0A345BDC9B1BFDA5E57E4

SHA256:

D3BCCC5F6F85F2B6D18B3BD961463583ACC2183E8A18516258F64A9F1741CC56

SSDEEP:

98304:vyurVX64DikVYc3ZuLb0lWZ7CS9iMqrn0+XYOFKl:6rIV5EL4lWZijIn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • DllHost.exe (PID: 3700)
      • explorer.exe (PID: 284)
      • DWB.exe (PID: 3312)
      • WinRAR.exe (PID: 3632)
      • dwm.exe (PID: 1988)
      • c0YPfe7h.exe (PID: 3968)
      • iexplore.exe (PID: 3084)
      • iexplore.exe (PID: 3804)
      • iexplore.exe (PID: 3824)
      • iexplore.exe (PID: 2428)
      • chrome.exe (PID: 1244)
      • chrome.exe (PID: 3608)
      • chrome.exe (PID: 3036)
      • chrome.exe (PID: 2968)
      • RogueKiller_portable32.exe (PID: 1060)
      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 2792)

    • Application was dropped or rewritten from another process

      • DWB.exe (PID: 3312)
      • c0YPfe7h.exe (PID: 3968)
      • RogueKiller_portable32.exe (PID: 1060)
      • RogueKiller_portable32.exe (PID: 3360)

    • Changes the autorun value in the registry

      • DWB.exe (PID: 3312)

    • Loads the Task Scheduler COM API

      • RogueKiller_portable32.exe (PID: 1060)

    • Loads the Task Scheduler DLL interface

      • RogueKiller_portable32.exe (PID: 1060)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • NEW RELEASE.exe (PID: 2308)
      • WinRAR.exe (PID: 3632)
      • chrome.exe (PID: 1244)
      • RogueKiller_portable32.exe (PID: 1060)

    • Creates files in the program directory

      • NEW RELEASE.exe (PID: 2308)
      • DWB.exe (PID: 3312)
      • RogueKiller_portable32.exe (PID: 1060)

    • Creates files in the user directory

      • explorer.exe (PID: 284)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 284)

    • Starts Internet Explorer

      • c0YPfe7h.exe (PID: 3968)
      • RogueKiller_portable32.exe (PID: 1060)

    • Low-level read access rights to disk partition

      • RogueKiller_portable32.exe (PID: 1060)

    • Creates files in the Windows directory

      • RogueKiller_portable32.exe (PID: 1060)

    • Creates files in the driver directory

      • RogueKiller_portable32.exe (PID: 1060)

    • Creates or modifies windows services

      • RogueKiller_portable32.exe (PID: 1060)

  • INFO

    • Changes settings of System certificates

      • iexplore.exe (PID: 3824)

    • Changes internet zones settings

      • iexplore.exe (PID: 3084)
      • iexplore.exe (PID: 3804)
      • iexplore.exe (PID: 3112)

    • Creates files in the user directory

      • iexplore.exe (PID: 3824)
      • iexplore.exe (PID: 2792)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3824)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3824)
      • chrome.exe (PID: 1244)

    • Application launched itself

      • iexplore.exe (PID: 3804)
      • chrome.exe (PID: 1244)
      • iexplore.exe (PID: 3112)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3824)

    • Reads settings of System Certificates

      • chrome.exe (PID: 1244)
      • RogueKiller_portable32.exe (PID: 1060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x54c2
UninitializedDataSize: -
InitializedDataSize: 5122560
CodeSize: 39936
LinkerVersion: 9
PEType: PE32
TimeStamp: 2016:12:05 14:55:10+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2016 13:55:10
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2016 13:55:10
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00009B64
0x00009C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.3934
.rdata
0x0000B000
0x00002340
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.48747
.data
0x0000E000
0x00001F60
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.29264
.rsrc
0x00010000
0x004DE3C0
0x004DE400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.76021
.reloc
0x004EF000
0x0000127E
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
3.61866

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.19546
660
Latin 1 / Western European
English - United States
RT_MANIFEST
2
6.26359
1384
Latin 1 / Western European
UNKNOWN
RT_ICON
3
6.11058
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
4
6.29176
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
101
3.45943
11
Latin 1 / Western European
UNKNOWN
RT_STRING
102
3.93633
1464
Latin 1 / Western European
UNKNOWN
RT_STRING
103
7.30892
486
Latin 1 / Western European
UNKNOWN
RT_STRING
104
7.47736
472
Latin 1 / Western European
UNKNOWN
RT_STRING
105
7.47931
441
Latin 1 / Western European
UNKNOWN
RT_STRING
106
7.28909
398
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

ADVAPI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
26
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start new release.exe no specs new release.exe dwb.exe winrar.exe explorer.exe no specs Thumbnail Cache Out of Proc Server no specs c0ypfe7h.exe dwm.exe no specs iexplore.exe iexplore.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs roguekiller_portable32.exe no specs roguekiller_portable32.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3768"C:\Users\admin\Desktop\NEW RELEASE.exe" C:\Users\admin\Desktop\NEW RELEASE.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
2308"C:\Users\admin\Desktop\NEW RELEASE.exe" C:\Users\admin\Desktop\NEW RELEASE.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3312"C:\ProgramData\CBFGQF\DWB.exe" C:\ProgramData\CBFGQF\DWB.exe
NEW RELEASE.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3632"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\CFPHV2.0.zip"C:\Program Files\WinRAR\WinRAR.exe
NEW RELEASE.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3700C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3968"C:\Users\admin\AppData\Local\Temp\Rar$EXa3632.13339\c0YPfe7h.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3632.13339\c0YPfe7h.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Description:
c0YPfe7h
Exit code:
0
Version:
2.0.0.0
1988"C:\Windows\system32\Dwm.exe"C:\Windows\System32\dwm.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3084"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
c0YPfe7h.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3824"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3084 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
4 494
Read events
4 143
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
143
Text files
125
Unknown types
14

Dropped files

PID
Process
Filename
Type
2308NEW RELEASE.exeC:\ProgramData\CBFGQF\DWB.02
MD5:
SHA256:
3084iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3084iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8B84FFFD16108643.TMP
MD5:
SHA256:
284explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:B614E12904EAD34A55500B81FC85B23C
SHA256:2A137D795E64BF69AA1E31C30048BB1CA08618579260B9EEA24A5B7EB4680AB2
284explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019021120190212\index.datdat
MD5:4C9DC2C612C9BE3D11BDD8F36BDA6221
SHA256:0EF152D882D103308CF86C651CE3A6CA4F20F82C6EC9E31FDC6E1D4AAECD8F4A
3084iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFEC6DB8C213AA597E.TMP
MD5:
SHA256:
2308NEW RELEASE.exeC:\ProgramData\CBFGQF\DWB.00binary
MD5:A536F7D42DADCBFBA4382DA3586A5EE4
SHA256:D90E545803E4ACD0A1D6580C2453ECA23562FF95CAF97980F09930CA0D2876E1
3084iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1724942A966E1C29.TMP
MD5:
SHA256:
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A4ADA3E4-2DE3-11E9-AA93-5254004A04AF}.dat
MD5:
SHA256:
2308NEW RELEASE.exeC:\Users\admin\Desktop\CFPHV2.0.zipcompressed
MD5:D19C8781A9C7C4EE8F19657BA1E5D80F
SHA256:34C166A0D35B908F1A76B84FDA9DC4C2B589261E59D7599B764325E234BE425F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
45
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3968
c0YPfe7h.exe
GET
200
103.255.237.236:80
http://exiledros.net/GpRk9lnkYDU7ROyE.php
VN
text
9 b
malicious
3824
iexplore.exe
GET
200
103.255.237.236:80
http://exiledros.net/
VN
html
3.79 Kb
malicious
3824
iexplore.exe
GET
103.255.237.236:80
http://exiledros.net/file/introboxes.js
VN
malicious
3084
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3824
iexplore.exe
GET
200
103.255.237.236:80
http://exiledros.net/file/css1.css
VN
text
1.47 Kb
malicious
3968
c0YPfe7h.exe
GET
200
103.255.237.236:80
http://exiledros.net/webcheck.php
VN
text
20 b
malicious
3824
iexplore.exe
GET
103.255.237.236:80
http://exiledros.net/file/jquery-latest.js
VN
malicious
3968
c0YPfe7h.exe
GET
200
103.255.237.236:80
http://exiledros.net/downloadlink.php
VN
text
24 b
malicious
3968
c0YPfe7h.exe
GET
200
103.255.237.236:80
http://exiledros.net/cfph.php
VN
text
2 b
malicious
3824
iexplore.exe
GET
200
172.217.18.98:80
http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
US
text
29.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3084
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3824
iexplore.exe
172.217.21.238:443
www.google-analytics.com
Google Inc.
US
whitelisted
3824
iexplore.exe
103.255.237.236:80
exiledros.net
VNPT Corp
VN
unknown
3824
iexplore.exe
172.217.22.106:80
ajax.googleapis.com
Google Inc.
US
whitelisted
3824
iexplore.exe
172.217.18.98:80
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3968
c0YPfe7h.exe
103.255.237.236:80
exiledros.net
VNPT Corp
VN
unknown
3824
iexplore.exe
216.58.208.40:443
www.googletagmanager.com
Google Inc.
US
whitelisted
3804
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1244
chrome.exe
172.217.23.170:443
ajax.googleapis.com
Google Inc.
US
whitelisted
1244
chrome.exe
216.58.207.67:443
www.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
exiledros.net
  • 103.255.237.236
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ajax.googleapis.com
  • 172.217.22.106
  • 216.58.210.10
  • 172.217.18.106
  • 172.217.23.170
  • 172.217.21.202
  • 216.58.205.234
  • 172.217.21.234
  • 172.217.18.10
  • 172.217.18.170
  • 172.217.23.138
  • 216.58.206.10
  • 216.58.207.74
  • 216.58.208.42
  • 172.217.16.138
  • 172.217.22.42
whitelisted
www.googletagmanager.com
  • 216.58.208.40
whitelisted
pagead2.googlesyndication.com
  • 172.217.18.98
whitelisted
www.google-analytics.com
  • 172.217.21.238
whitelisted
clk.ink
  • 104.28.13.33
  • 104.28.12.33
malicious
clientservices.googleapis.com
  • 172.217.21.227
whitelisted
www.google.de
  • 216.58.205.227
whitelisted
www.gstatic.com
  • 216.58.207.67
whitelisted

Threats

No threats detected
Process
Message
c0YPfe7h.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
RogueKiller_portable32.exe
libpng warning: iCCP: known incorrect sRGB profile
RogueKiller_portable32.exe
libpng warning: iCCP: known incorrect sRGB profile
RogueKiller_portable32.exe
libpng warning: iCCP: known incorrect sRGB profile
RogueKiller_portable32.exe
libpng warning: iCCP: known incorrect sRGB profile
RogueKiller_portable32.exe
libpng warning: iCCP: known incorrect sRGB profile
RogueKiller_portable32.exe
libpng warning: iCCP: known incorrect sRGB profile
RogueKiller_portable32.exe
libpng warning: iCCP: known incorrect sRGB profile
RogueKiller_portable32.exe
libpng warning: iCCP: known incorrect sRGB profile
RogueKiller_portable32.exe
libpng warning: iCCP: known incorrect sRGB profile
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NEW RELEASE.exe