File name:

d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce

Full analysis: https://app.any.run/tasks/b6823f63-d3c6-49d9-bf4d-ed71e4b0b7a6
Verdict: Malicious activity
Analysis date: December 05, 2022, 21:59:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

8D65244421B6A050DC3AA9639277C4D8

SHA1:

2D9E0403FB319BF3FE4E58FCE745ABD21F3BABEE

SHA256:

D465E61CB369D3A5AB4B58F01889D7BF10510F5C50F19AADC628821662181FCE

SSDEEP:

6144:2e34nAr5S53BAcAyYJKc0n2Ihv3DPpyugqHjQpXcKM33xS:4A6ADd02IRDhyugqHwXcKM38

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)

    • Loads dropped or rewritten executable

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)

    • Drops a file with too old compile date

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)

  • INFO

    • Checks supported languages

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)

    • Reads the computer name

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 3188)

    • Manual execution by a user

      • explorer.exe (PID: 2500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2009-Dec-05 22:50:52
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 216

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2009-Dec-05 22:50:52
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23628
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44011
.rdata
28672
4764
5120
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04684
.data
36864
154712
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.801
.ndata
192512
61440
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
253952
2768
3072
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.39962

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.50665
744
UNKNOWN
English - United States
RT_ICON
103
2.16096
20
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
106
2.88094
284
UNKNOWN
English - United States
RT_DIALOG
111
2.48825
96
UNKNOWN
English - United States
RT_DIALOG
1 (#2)
5.21482
958
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe explorer.exe no specs d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1540"C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
c:\windows\system32\ntdll.dll
2500"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3188"C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
771
Read events
769
Write events
2
Delete events
0

Modification events

(PID) Process:(3188) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
Operation:writeName:Terminus
Value:
terminus.fon
(PID) Process:(3188) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nsiF737.tmp\
Executable files
5
Suspicious files
0
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\gq2.txttext
MD5:
SHA256:
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\terminus.fonexecutable
MD5:
SHA256:
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\dv1.txttext
MD5:
SHA256:
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\ao2.txttext
MD5:
SHA256:
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\ge2.txttext
MD5:
SHA256:
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\ka2.txttext
MD5:
SHA256:
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\ij1.txttext
MD5:
SHA256:
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\ll2.txttext
MD5:
SHA256:
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\fcpw.exeexecutable
MD5:
SHA256:
3188d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsiF737.tmp\nsDialogs.dllexecutable
MD5:C10E04DD4AD4277D5ADC951BB331C777
SHA256:E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce