analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce

Full analysis: https://app.any.run/tasks/b6823f63-d3c6-49d9-bf4d-ed71e4b0b7a6
Verdict: Malicious activity
Analysis date: December 05, 2022, 21:59:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

8D65244421B6A050DC3AA9639277C4D8

SHA1:

2D9E0403FB319BF3FE4E58FCE745ABD21F3BABEE

SHA256:

D465E61CB369D3A5AB4B58F01889D7BF10510F5C50F19AADC628821662181FCE

SSDEEP:

6144:2e34nAr5S53BAcAyYJKc0n2Ihv3DPpyugqHjQpXcKM33xS:4A6ADd02IRDhyugqHwXcKM38

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)
    • Drops the executable file immediately after the start

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)
  • SUSPICIOUS

    • Drops a file with too old compile date

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)
    • Executable content was dropped or overwritten

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)
  • INFO

    • Checks supported languages

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)
    • Reads the computer name

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)
    • Manual execution by a user

      • explorer.exe (PID: 2500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2009-Dec-05 22:50:52
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 216

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2009-Dec-05 22:50:52
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23628
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44011
.rdata
28672
4764
5120
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04684
.data
36864
154712
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.801
.ndata
192512
61440
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
253952
2768
3072
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.39962

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.50665
744
UNKNOWN
English - United States
RT_ICON
103
2.16096
20
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
106
2.88094
284
UNKNOWN
English - United States
RT_DIALOG
111
2.48825
96
UNKNOWN
English - United States
RT_DIALOG
1 (#2)
5.21482
958
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe no specs d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1540"C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3188"C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
2500"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
771
Read events
769
Write events
2
Delete events
0

Modification events

(PID) Process:(3188) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
Operation:writeName:Terminus
Value:
terminus.fon
(PID) Process:(3188) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nsiF737.tmp\
Executable files
5
Suspicious files
0
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\ao2.txttext
MD5:2DC5E3E6AE5E6CF1264A945353BAEC5F
SHA256:373AA56DF1EBC44DCD6E0DE5CA6CB308E660D885CC7E80AA489C3928C3547D78
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\hi2.txttext
MD5:0E72775B1B4FB53312AD99ABD699124C
SHA256:4DF90524326C765D53FC0BCC17AC581C4D3DE77C6DD78D998E172F68F1F37C4B
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\ll2.txttext
MD5:782E13664A026B50BB5687079FB89DA2
SHA256:965942BD6C5DC0EC7D35D82776E3B7108C842F0B14F60DAA79CF81810D87632F
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\CHANGEStext
MD5:47652D491F1D7578741A49B32C881C28
SHA256:5D282D8DEC5FBDA89B6C377BD0E57F43E33A476E863C8C8073F5BEB7F1D10AD6
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\hi2-ka2.txttext
MD5:2FA46F9D5D914AC959EA16D11A17F670
SHA256:E520FECEFFAFCB0F9E660FE024DE695CCD21B2040EE14452670AE9B22E19D3BA
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\fcpw.exeexecutable
MD5:7B9492B4913C13D5F93D2CF5826E672B
SHA256:5C7BA53724FDCD120B8AA9ABFE4273817BC63C1C39321DE4C18851716FD17451
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\ij1.txttext
MD5:A82892C09D94796741C5D333D7ADBD55
SHA256:8E2286205EC5A701BBC477E72DCEAAAADEE0353CAD5C69C9E24004EAF79D6FA9
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\td1.txttext
MD5:22504D6DF2E85CBCADFDC594F100F956
SHA256:E1D596F02D9CCEBF0261CE1D69B26281C4783082B00356CD04ECE0744A9B9017
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Windows\Fonts\terminus.fonexecutable
MD5:3C648282A62A4C72CAB1C56FFC77B2B3
SHA256:A79D6DD3C392D29249C9C2A31C15007978F276AB94E8FA94D8970CD104824F38
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\AUTHORStext
MD5:AE271043C5301F304AEA2B8696DBF5E5
SHA256:7A5E955BAAF28951CF5D75D8F13B48273B02A9569D25210D6486BA8656F8AF27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info