File name:

Bonzify.exe

Full analysis: https://app.any.run/tasks/3887ee86-94f2-4a29-9818-8e38247b94be
Verdict: Malicious activity
Analysis date: June 15, 2024, 22:21:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9C352D2CE0C0BDC40C72F52CE3480577

SHA1:

BD4C956186F33C92EB4469F7E5675510D0790E99

SHA256:

D7E6580054525D3F21F86EDFC9F30B7A75FFA829A1EB67EE3CAB33F0040DBA4E

SSDEEP:

196608:/dAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3o:naWedh+Idx75QYub//73lc6u7bLMYxDo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Bonzify.exe (PID: 4088)
      • INSTALLER.exe (PID: 1620)
      • INSTALLER.exe (PID: 2304)

    • Registers / Runs the DLL via REGSVR32.EXE

      • INSTALLER.exe (PID: 2304)
      • INSTALLER.exe (PID: 1620)

    • Changes the autorun value in the registry

      • INSTALLER.exe (PID: 1620)

    • Changes the AppInit_DLLs value (autorun option)

      • Bonzify.exe (PID: 4088)

    • Creates a writable file in the system directory

      • INSTALLER.exe (PID: 1620)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Bonzify.exe (PID: 4088)

    • Executing commands from a ".bat" file

      • Bonzify.exe (PID: 4088)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 1020)

    • Starts a Microsoft application from unusual location

      • INSTALLER.exe (PID: 2304)
      • INSTALLER.exe (PID: 1620)

    • Executable content was dropped or overwritten

      • Bonzify.exe (PID: 4088)
      • INSTALLER.exe (PID: 2304)
      • INSTALLER.exe (PID: 1620)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 1020)

    • Process drops legitimate windows executable

      • Bonzify.exe (PID: 4088)
      • INSTALLER.exe (PID: 2304)
      • INSTALLER.exe (PID: 1620)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 1020)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 1056)
      • regsvr32.exe (PID: 728)
      • regsvr32.exe (PID: 1488)
      • regsvr32.exe (PID: 1840)
      • regsvr32.exe (PID: 1764)
      • regsvr32.exe (PID: 308)
      • regsvr32.exe (PID: 552)
      • regsvr32.exe (PID: 1284)
      • regsvr32.exe (PID: 284)

    • Creates file in the systems drive root

      • Bonzify.exe (PID: 4088)
      • WINWORD.EXE (PID: 1280)

    • Creates a software uninstall entry

      • INSTALLER.exe (PID: 1620)

  • INFO

    • Create files in a temporary directory

      • Bonzify.exe (PID: 4088)
      • INSTALLER.exe (PID: 2304)
      • INSTALLER.exe (PID: 1620)

    • Checks supported languages

      • INSTALLER.exe (PID: 2304)
      • Bonzify.exe (PID: 4088)
      • INSTALLER.exe (PID: 1620)
      • AgentSvr.exe (PID: 588)
      • AgentSvr.exe (PID: 1948)
      • wmpnscfg.exe (PID: 2792)
      • wmpnscfg.exe (PID: 2940)
      • wmpnscfg.exe (PID: 692)
      • wmpnscfg.exe (PID: 1840)

    • Reads the computer name

      • INSTALLER.exe (PID: 2304)
      • INSTALLER.exe (PID: 1620)
      • Bonzify.exe (PID: 4088)
      • AgentSvr.exe (PID: 1948)
      • wmpnscfg.exe (PID: 2792)
      • wmpnscfg.exe (PID: 2940)
      • wmpnscfg.exe (PID: 1840)
      • wmpnscfg.exe (PID: 692)

    • Reads the machine GUID from the registry

      • Bonzify.exe (PID: 4088)
      • AgentSvr.exe (PID: 1948)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2792)
      • WINWORD.EXE (PID: 1280)
      • wmpnscfg.exe (PID: 2940)
      • wmpnscfg.exe (PID: 1840)
      • wmpnscfg.exe (PID: 692)
      • DFDWiz.exe (PID: 2284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 MS Cabinet Self-Extractor (WExtract stub) (86.7)
.exe | Win32 Executable MS Visual C++ (generic) (8.9)
.dll | Win32 Dynamic Link Library (generic) (1.8)
.exe | Win32 Executable (generic) (1.2)
.exe | Generic Win/DOS Executable (0.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:04 14:58:11+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 4096
InitializedDataSize: 6697472
UninitializedDataSize: -
EntryPoint: 0x16b0
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
27
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bonzify.exe cmd.exe no specs taskkill.exe no specs takeown.exe no specs icacls.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs agentsvr.exe no specs grpconv.exe no specs installer.exe regsvr32.exe no specs regsvr32.exe no specs grpconv.exe no specs agentsvr.exe winword.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs dfdwiz.exe no specs bonzify.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
284regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dllC:\Windows\System32\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
308regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"C:\Windows\System32\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
552regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"C:\Windows\System32\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
588"C:\Windows\msagent\AgentSvr.exe" /regserverC:\Windows\msagent\AgentSvr.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Agent Server
Exit code:
0
Version:
2.00.0.2202
Modules
Images
c:\windows\msagent\agentsvr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
692grpconv.exe -oC:\Windows\System32\grpconv.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Progman Group Converter
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\grpconv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
692"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
728regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"C:\Windows\System32\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
864taskkill /f /im AgentSvr.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
1020C:\Windows\system32\cmd.exe /c "C:\Users\admin\AppData\Local\Temp\KillAgent.bat"C:\Windows\System32\cmd.exeBonzify.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1056regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"C:\Windows\System32\regsvr32.exeINSTALLER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
7 031
Read events
6 471
Write events
230
Delete events
330

Modification events

(PID) Process:(2304) INSTALLER.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:writeName:setupapi.app.log
Value:
4096
(PID) Process:(1764) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(1764) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
(PID) Process:(1764) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Control
Operation:delete keyName:(default)
Value:
(PID) Process:(1764) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\InprocServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(1764) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus\1
Operation:delete keyName:(default)
Value:
(PID) Process:(1764) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\MiscStatus
Operation:delete keyName:(default)
Value:
(PID) Process:(1764) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ProgID
Operation:delete keyName:(default)
Value:
(PID) Process:(1764) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\Programmable
Operation:delete keyName:(default)
Value:
(PID) Process:(1764) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}\ToolboxBitmap32
Operation:delete keyName:(default)
Value:
Executable files
54
Suspicious files
19
Text files
5
Unknown types
4

Dropped files

PID
Process
Filename
Type
4088Bonzify.exeC:\Users\admin\AppData\Local\Temp\KillAgent.battext
MD5:EA7DF060B402326B4305241F21F39736
SHA256:E4EDC2CB6317AB19EE1A6327993E9332AF35CFBEBAFF2AC7C3F71D43CFCBE793
2304INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLLexecutable
MD5:4FBBAAC42CF2ECB83543F262973D07C0
SHA256:6550582E41FC53B8A7CCDF9AC603216937C6FF2A28E9538610ADB7E67D782AB5
2304INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLLexecutable
MD5:7C5AEFB11E797129C9E90F279FBDF71B
SHA256:394A17150B8774E507B8F368C2C248C10FCE50FC43184B744E771F0E79ECAFED
2304INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLLexecutable
MD5:9FAFB9D0591F2BE4C2A846F63D82D301
SHA256:E78E74C24D468284639FAF9DCFDBA855F3E4F00B2F26DB6B2C491FA51DA8916D
2304INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLLexecutable
MD5:0CBF0F4C9E54D12D34CD1A772BA799E1
SHA256:6B0B57E5B27D901F4F106B236C58D0B2551B384531A8F3DAD6C06ED4261424B1
4088Bonzify.exeC:\Users\admin\AppData\Local\Temp\TakeOwn.battext
MD5:F80E36CD406022944558D8A099DB0FA7
SHA256:7B41E5A6C2DD92F60C38CB4FE09DCBE378C3E99443F7BAF079ECE3608497BDC7
2304INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXEexecutable
MD5:5C91BF20FE3594B81052D131DB798575
SHA256:E8CE546196B6878A8C34DA863A6C8A7E34AF18FB9B509D4D36763734EFA2D175
2304INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLLexecutable
MD5:B4AC608EBF5A8FDEFA2D635E83B7C0E8
SHA256:8414DFE399813B7426C235BA1E625BD2B5635C8140DA0D0CFC947F6565FE415F
2304INSTALLER.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\AGTEULA.TXTtext
MD5:7070B77ED401307D2E9A0F8EAAAA543B
SHA256:225D227ABBD45BF54D01DFC9FA6E54208BF5AE452A32CC75B15D86456A669712
4088Bonzify.exeC:\Users\admin\AppData\Local\Temp\INSTALLER.exeexecutable
MD5:66996A076065EBDCDAC85FF9637CEAE0
SHA256:16CA09AD70561F413376AD72550AE5664C89C6A76C85C872FFE2CB1E7F49E2AA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
AgentSvr.exe
ClaimOutput
AgentSvr.exe
UnclaimOutput
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bonzify.exe