analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

red.EXE

Full analysis: https://app.any.run/tasks/1722f86b-8a27-4d7e-999f-b06f77311008
Verdict: Malicious activity
Analysis date: August 08, 2020, 19:05:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2D7B92666BB2809EB95B50772D28DF03

SHA1:

EE00183ED3278BCBE88AECE13EB24773780FD1A6

SHA256:

D3C87C0D31E5E636CBCC38F9697EDCBF1DF83492C9326B697358480ACA996A72

SSDEEP:

393216:GFsXBznwyVkZk7XKVUljD4T6tSZdmMuW+2n8:XxwyR7XTlP2wSZdms+U8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • ati.exe (PID: 1696)
      • hlds.exe (PID: 3108)
      • hlds.exe (PID: 3748)
      • hlds.exe (PID: 788)
      • hlds.exe (PID: 4048)
      • hlds.exe (PID: 832)

    • Application was dropped or rewritten from another process

      • upnpc-static.exe (PID: 2280)
      • upnpc-static.exe (PID: 2700)
      • hlds.exe (PID: 3108)
      • upnpc-static.exe (PID: 3776)
      • ati.exe (PID: 1696)
      • hlds.exe (PID: 3748)
      • hlds.exe (PID: 788)
      • upnpc-static.exe (PID: 1256)
      • hlds.exe (PID: 4048)
      • upnpc-static.exe (PID: 2812)
      • hlds.exe (PID: 832)

  • SUSPICIOUS

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 2792)
      • cmd.exe (PID: 3632)
      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 924)
      • cmd.exe (PID: 944)
      • cmd.exe (PID: 3808)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 332)

    • Executable content was dropped or overwritten

      • red.EXE (PID: 1336)

    • Starts CMD.EXE for commands execution

      • ati.exe (PID: 1696)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • red.EXE (PID: 1336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1caa5
UninitializedDataSize: -
InitializedDataSize: 196096
CodeSize: 188416
LinkerVersion: 14
PEType: PE32
TimeStamp: 2016:07:21 11:06:58+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 21-Jul-2016 09:06:58
Detected languages:
  • English - United States
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 21-Jul-2016 09:06:58
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002DFE8
0x0002E000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.71015
.rdata
0x0002F000
0x000099D0
0x00009A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.15458
.data
0x00039000
0x0001F8B8
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.29195
.gfids
0x00059000
0x000000F0
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.12556
.rsrc
0x0005A000
0x00004680
0x00004800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.63811
.reloc
0x0005F000
0x00001F8C
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.64096

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
UNKNOWN
English - United States
RT_MANIFEST
2
3.88998
1384
UNKNOWN
English - United States
RT_ICON
3
4.12176
744
UNKNOWN
English - United States
RT_ICON
4
4.68705
2216
UNKNOWN
English - United States
RT_ICON
7
3.1586
482
UNKNOWN
English - United States
RT_STRING
8
3.11685
460
UNKNOWN
English - United States
RT_STRING
9
3.15447
494
UNKNOWN
English - United States
RT_STRING
10
2.99727
326
UNKNOWN
English - United States
RT_STRING
11
3.2036
1094
UNKNOWN
English - United States
RT_STRING
12
3.12889
358
UNKNOWN
English - United States
RT_STRING

Imports

COMCTL32.dll (delay-loaded)
KERNEL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
26
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start red.exe ati.exe no specs cmd.exe no specs reg.exe no specs upnpc-static.exe cmd.exe no specs hlds.exe netsh.exe no specs upnpc-static.exe cmd.exe no specs netsh.exe no specs upnpc-static.exe cmd.exe no specs netsh.exe no specs upnpc-static.exe upnpc-static.exe cmd.exe no specs netsh.exe no specs hlds.exe cmd.exe no specs netsh.exe no specs cmd.exe no specs netsh.exe no specs hlds.exe hlds.exe hlds.exe

Process information

PID
CMD
Path
Indicators
Parent process
1336"C:\Users\admin\AppData\Local\Temp\red.EXE" C:\Users\admin\AppData\Local\Temp\red.EXE
explorer.exe
User:
admin
Integrity Level:
MEDIUM
1696"C:\Users\admin\AppData\Local\Temp\RarSFX0\ati.exe" /SC:\Users\admin\AppData\Local\Temp\RarSFX0\ati.exered.EXE
User:
admin
Integrity Level:
MEDIUM
332C:\Windows\system32\cmd.exe /c reg add "HKCU\Software\Valve\Steam\ActiveProcess" /v SteamClientDll /t REG_SZ /d "" /fC:\Windows\system32\cmd.exeati.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
820reg add "HKCU\Software\Valve\Steam\ActiveProcess" /v SteamClientDll /t REG_SZ /d "" /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2700 -a 192.168.100.221 29000 29000 udpC:\Users\admin\AppData\Local\Temp\RarSFX0\upnpc-static.exe
ati.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
3632C:\Windows\system32\cmd.exe /c netsh firewall add portopening UDP 29000 "Open Port 0"C:\Windows\system32\cmd.exeati.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3108 -console -game cstrike -insecure +sys_ticrate 10000 -heapsize 15000 +port 29000 +map de_dust2 +maxplayers 32 +exec server.cfg +ip 192.168.100.221 +hostname "CS.TEST.RO"C:\Users\admin\AppData\Local\Temp\RarSFX0\hlds.exe
ati.exe
User:
admin
Company:
Valve
Integrity Level:
MEDIUM
Description:
HLDS Launcher
Version:
4, 1, 1, 1
1024netsh firewall add portopening UDP 29000 "Open Port 0"C:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3776 -a 192.168.100.221 29001 29001 udpC:\Users\admin\AppData\Local\Temp\RarSFX0\upnpc-static.exe
ati.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
2792C:\Windows\system32\cmd.exe /c netsh firewall add portopening UDP 29001 "Open Port 0"C:\Windows\system32\cmd.exeati.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
749
Read events
466
Write events
0
Delete events
0

Modification events

No data
Executable files
42
Suspicious files
2
Text files
105
Unknown types
192

Dropped files

PID
Process
Filename
Type
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\maps.txttext
MD5:BDDB91D23A5BAC64F0B3998D857AEB40
SHA256:B54CE580355A1F225C0EEC1ECDB804BE80059A68AECD661917D2E1E6CACA45AE
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\hlds.exeexecutable
MD5:15DB208261C2EC83E50A7036EB7A78F4
SHA256:CC9B8D554BA7BDC5385C1FC20367A51A9EC557BB30363708A01015E9415D3F1B
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\hostnames.txttext
MD5:E5E346431D54ED1ADC68CCF229DF857D
SHA256:C20D9C1F90E7CEFC0A55EE6F5577BCBBF14EC4A7E059A1BFA73E812C49B1FA45
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\start.exeexecutable
MD5:2472969B2234561964750E807A17EB3C
SHA256:5CE7CF14DE5B6EB60014D16783CFE4FFE102FAD582488776CFAE5F98B60AFB3C
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\stop.exeexecutable
MD5:D54B1348AB806A402CD810E779AE29F8
SHA256:0A6BB447D2AE86E51C89B528243A9E726E6AE6D465750456C341258BC71FE1DE
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\steam_api_c.dllexecutable
MD5:D20C7E1D930FA33F1E21662D6971D3FD
SHA256:127C5748E8E05AD325B175D351FB08DD01E07F20623B1FB46B58FDAF371BF950
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\steam_api.dllexecutable
MD5:58F14FF51DC4A83C3F386FE289092613
SHA256:FAD5E776959F16666EA2B4EE544CADD37240A1DC35297AA3B63A14492050EF3F
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\steamclient.dllexecutable
MD5:00C88D79D3343205ED63A5515423BE41
SHA256:23006BBE84CA752B4D910731BAB26E964E255E1EC160C1F99D8517223EDB8730
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\Steam.dllexecutable
MD5:A5F5B8A1050769082C2F310048A151A8
SHA256:85015899CDA2C01FDD75592705B0E2BE61C2163677797BCB87E5C16E26007B7A
1336red.EXEC:\Users\admin\AppData\Local\Temp\RarSFX0\swds.dllexecutable
MD5:8C36D5733C83B6DB7E6A41008CBC3EDC
SHA256:62F05B69DFE999B54A914726AF83A4F5538380919B25229331D9244252D6FB6F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
72
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
162.254.196.43:27020
Valve Corporation
GB
unknown
162.254.196.43:27017
Valve Corporation
GB
unknown
162.254.196.41:27018
Valve Corporation
GB
unknown
162.254.196.43:27019
Valve Corporation
GB
unknown
162.254.196.43:27018
Valve Corporation
GB
unknown
162.254.196.40:27020
Valve Corporation
GB
unknown
3108
hlds.exe
185.25.180.15:27017
Valve Corporation
SE
unknown
162.254.196.40:27021
Valve Corporation
GB
unknown
185.25.180.15:27020
Valve Corporation
SE
unknown
162.254.196.42:27017
Valve Corporation
GB
unknown

DNS requests

No data

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
Process
Message
hlds.exe
Protocol version 48 Exe version 1.1.2.7 (cstrike)
hlds.exe
Exe build: 10:44:49 Aug 28 2012 (5758)
hlds.exe
STEAM Auth Server
hlds.exe
Server IP address 192.168.100.221:29000
hlds.exe
hlds.exe
Metamod version 1.19 Copyright (c) 2001-2006 Will Day <[email protected]>
hlds.exe
Metamod comes with ABSOLUTELY NO WARRANTY; for details type `meta gpl'.
hlds.exe
This is free software, and you are welcome to redistribute it
hlds.exe
under certain conditions; type `meta gpl' for details.
hlds.exe
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
red.EXE