File name:

d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce

Full analysis: https://app.any.run/tasks/c79bb15a-b6fc-4585-affc-ae8fc4cec45c
Verdict: Malicious activity
Analysis date: December 05, 2022, 21:57:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

8D65244421B6A050DC3AA9639277C4D8

SHA1:

2D9E0403FB319BF3FE4E58FCE745ABD21F3BABEE

SHA256:

D465E61CB369D3A5AB4B58F01889D7BF10510F5C50F19AADC628821662181FCE

SSDEEP:

6144:2e34nAr5S53BAcAyYJKc0n2Ihv3DPpyugqHjQpXcKM33xS:4A6ADd02IRDhyugqHwXcKM38

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 1232)
    • Application was dropped or rewritten from another process

      • fcpw.exe (PID: 3344)
    • Drops the executable file immediately after the start

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 1232)
  • SUSPICIOUS

    • Drops a file with too old compile date

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 1232)
    • Executable content was dropped or overwritten

      • d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe (PID: 1232)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2009-Dec-05 22:50:52
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 216

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2009-Dec-05 22:50:52
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23628
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44011
.rdata
28672
4764
5120
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04684
.data
36864
154712
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.801
.ndata
192512
61440
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
253952
2768
3072
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.39962

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.50665
744
UNKNOWN
English - United States
RT_ICON
103
2.16096
20
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.66174
256
UNKNOWN
English - United States
RT_DIALOG
106
2.88094
284
UNKNOWN
English - United States
RT_DIALOG
111
2.48825
96
UNKNOWN
English - United States
RT_DIALOG
1 (#2)
5.21482
958
UNKNOWN
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe no specs d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe fcpw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
c:\windows\system32\ntdll.dll
1232"C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe" C:\Users\admin\AppData\Local\Temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
Explorer.EXE
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shell32.dll
3344"C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\fcpw.exe" 4100 terminus.fon ao2.txtC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\fcpw.exed465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsa15db.tmp\fcpw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
Total events
716
Read events
714
Write events
2
Delete events
0

Modification events

(PID) Process:(1232) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
Operation:writeName:Terminus
Value:
terminus.fon
(PID) Process:(1232) d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\
Executable files
5
Suspicious files
0
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\fcpw.exeexecutable
MD5:7B9492B4913C13D5F93D2CF5826E672B
SHA256:5C7BA53724FDCD120B8AA9ABFE4273817BC63C1C39321DE4C18851716FD17451
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\dv1.txttext
MD5:8FE7D0477F630992A0A0BAE830481D8B
SHA256:BC32799C1EEEBA159449D0BC1FCCBDD0A44BAA3E7255C3832E1107457548A84E
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\CHANGEStext
MD5:47652D491F1D7578741A49B32C881C28
SHA256:5D282D8DEC5FBDA89B6C377BD0E57F43E33A476E863C8C8073F5BEB7F1D10AD6
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\AUTHORStext
MD5:AE271043C5301F304AEA2B8696DBF5E5
SHA256:7A5E955BAAF28951CF5D75D8F13B48273B02A9569D25210D6486BA8656F8AF27
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\nsDialogs.dllexecutable
MD5:C10E04DD4AD4277D5ADC951BB331C777
SHA256:E31AD6C6E82E603378CB6B80E67D0E0DCD9CF384E1199AC5A65CB4935680021A
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ge2.txttext
MD5:EA7D7822027F0B4B158D0339D83CAFE8
SHA256:2F5D7A5C033276749B03A515C4D6A48B03261B441F3A61571F2459F110FD49E9
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ll2.txttext
MD5:782E13664A026B50BB5687079FB89DA2
SHA256:965942BD6C5DC0EC7D35D82776E3B7108C842F0B14F60DAA79CF81810D87632F
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\ao2.txttext
MD5:2DC5E3E6AE5E6CF1264A945353BAEC5F
SHA256:373AA56DF1EBC44DCD6E0DE5CA6CB308E660D885CC7E80AA489C3928C3547D78
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\hi2-ka2.txttext
MD5:2FA46F9D5D914AC959EA16D11A17F670
SHA256:E520FECEFFAFCB0F9E660FE024DE695CCD21B2040EE14452670AE9B22E19D3BA
1232d465e61cb369d3a5ab4b58f01889d7bf10510f5c50f19aadc628821662181fce.exeC:\Users\admin\AppData\Local\Temp\nsa15DB.tmp\td1.txttext
MD5:22504D6DF2E85CBCADFDC594F100F956
SHA256:E1D596F02D9CCEBF0261CE1D69B26281C4783082B00356CD04ECE0744A9B9017
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info