analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce

Full analysis: https://app.any.run/tasks/c79bb15a-b6fc-4585-affc-ae8fc4cec45c
Verdict: Malicious activity
Analysis date: December 05, 2022, 21:57:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

8D65244421B6A050DC3AA9639277C4D8

SHA1:

2D9E0403FB319BF3FE4E58FCE745ABD21F3BABEE

SHA256:

D465E61CB369D3A5AB4B58F01889D7BF10510F5C50F19AADC628821662181FCE

SSDEEP:

6144:2e34nAr5S53BAcAyYJKc0n2Ihv3DPpyugqHjQpXcKM33xS:4A6ADd02IRDhyugqHwXcKM38

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • fcpw.exe (PID: 3344)
    • Drops the executable file immediately after the start

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 1232)
    • Loads dropped or rewritten executable

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 1232)
  • SUSPICIOUS

    • Drops a file with too old compile date

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 1232)
    • Executable content was dropped or overwritten

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 1232)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2009-Dec-05 22:50:52
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 216

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2009-Dec-05 22:50:52
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23628
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44011
.rdata
28672
4764
5120
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04684
.data
36864
154712
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.801
.ndata
192512
61440
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
253952
2768
3072
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.39962

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.50665
744
UNKNOWN
English - United States
RT_ICON
103
2.16096
20
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
106
2.88094
284
UNKNOWN
English - United States
RT_DIALOG
111
2.48825
96
UNKNOWN
English - United States
RT_DIALOG
1 (#2)
5.21482
958
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe no specs d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe fcpw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
1232"C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
3344"C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\fcpw.exe" 4100 terminus.fon ao2.txtC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\fcpw.exed465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
716
Read events
714
Write events
2
Delete events
0

Modification events

(PID) Process:(1232) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
Operation:writeName:Terminus
Value:
terminus.fon
(PID) Process:(1232) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\
Executable files
5
Suspicious files
0
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\td1.txttext
MD5:22504D6DF2E85CBCADFDC594F100F956
SHA256:E1D596F02D9CCEBF0261CE1D69B26281C4783082B00356CD04ECE0744A9B9017
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ge2.txttext
MD5:EA7D7822027F0B4B158D0339D83CAFE8
SHA256:2F5D7A5C033276749B03A515C4D6A48B03261B441F3A61571F2459F110FD49E9
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ll2.txttext
MD5:782E13664A026B50BB5687079FB89DA2
SHA256:965942BD6C5DC0EC7D35D82776E3B7108C842F0B14F60DAA79CF81810D87632F
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ij1.txttext
MD5:A82892C09D94796741C5D333D7ADBD55
SHA256:8E2286205EC5A701BBC477E72DCEAAAADEE0353CAD5C69C9E24004EAF79D6FA9
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\terminus.fonexecutable
MD5:3C648282A62A4C72CAB1C56FFC77B2B3
SHA256:A79D6DD3C392D29249C9C2A31C15007978F276AB94E8FA94D8970CD104824F38
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ao2.txttext
MD5:2DC5E3E6AE5E6CF1264A945353BAEC5F
SHA256:373AA56DF1EBC44DCD6E0DE5CA6CB308E660D885CC7E80AA489C3928C3547D78
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\dv1.txttext
MD5:8FE7D0477F630992A0A0BAE830481D8B
SHA256:BC32799C1EEEBA159449D0BC1FCCBDD0A44BAA3E7255C3832E1107457548A84E
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\OFL.TXTtext
MD5:9CADB26F4C5C005618C5AE74F041EC54
SHA256:DC367FAB3ACE2C26C893D1EE21823863096EF57C995A249CCAC03E2B80E2E8E3
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\hi2-ka2.txttext
MD5:2FA46F9D5D914AC959EA16D11A17F670
SHA256:E520FECEFFAFCB0F9E660FE024DE695CCD21B2040EE14452670AE9B22E19D3BA
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\AUTHORStext
MD5:AE271043C5301F304AEA2B8696DBF5E5
SHA256:7A5E955BAAF28951CF5D75D8F13B48273B02A9569D25210D6486BA8656F8AF27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info