analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

cxmxjh.exe

Full analysis: https://app.any.run/tasks/f987cc2e-36dd-4366-9113-8f388542c14e
Verdict: Malicious activity
Analysis date: September 19, 2019, 10:47:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A14798D28EF66745B8E424B52ABF0026

SHA1:

928EAF3E5A1AEB37EA9407B0DDD1DC4EDF1038D4

SHA256:

D904EDA57C5D9F5A474B131F34D69765C08C4BB6F54086561B7423E15141FC8B

SSDEEP:

98304:gbZ2Pem8nHZGToYuty+QApNL/Ie+Y21+r1WYH1fUY/XS8YQwvdepYk5xjlY:CXmsGToj8iND9+Y2WaMX7jwvSYojl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • cxmxjh.exe (PID: 3780)
    • Deletes shadow copies

      • cxmxjh.exe (PID: 3780)
    • Actions looks like stealing of personal data

      • cxmxjh.exe (PID: 3780)
  • SUSPICIOUS

    • Executed via COM

      • DllHost.exe (PID: 3076)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • cxmxjh.exe (PID: 3780)
    • Reads the cookies of Mozilla Firefox

      • cxmxjh.exe (PID: 3780)
    • Creates files in the program directory

      • cxmxjh.exe (PID: 3780)
  • INFO

    • Manual execution by user

      • taskmgr.exe (PID: 2204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:29 11:53:51+02:00
PEType: PE32
LinkerVersion: 14.16
CodeSize: 725504
InitializedDataSize: 2481664
UninitializedDataSize: -
EntryPoint: 0x76dac5
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 29-Jul-2019 09:53:51

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 29-Jul-2019 09:53:51
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000B11B3
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.rdata
0x000B3000
0x0004A5A8
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0
.data
0x000FE000
0x00209804
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.vmp0
0x00308000
0x00363C6B
0x00000000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0
.vmp1
0x0066C000
0x005FD5A0
0x005FD600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.96321
.reloc
0x00C6A000
0x000005E4
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.29641

Imports

ADVAPI32.dll
CRYPT32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
WS2_32.dll
WTSAPI32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cxmxjh.exe vssadmin.exe no specs PhotoViewer.dll no specs taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3780"C:\Users\admin\AppData\Local\Temp\cxmxjh.exe" C:\Users\admin\AppData\Local\Temp\cxmxjh.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
2660vssadmin delete shadows / allC:\Windows\system32\vssadmin.execxmxjh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3076C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2204"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
68
Read events
64
Write events
4
Delete events
0

Modification events

(PID) Process:(3780) cxmxjh.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:14nfYK5frS6Jb4B3mthRffTQuTFfeM9un3
Value:
C:\Users\admin\AppData\Local\Temp\cxmxjh.exe
(PID) Process:(3076) DllHost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
DllHost.exe
(PID) Process:(3076) DllHost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows Photo Viewer\Viewer
Operation:writeName:MainWndPos
Value:
6000000034000000A00400008002000000000000
Executable files
0
Suspicious files
3 851
Text files
0
Unknown types
17

Dropped files

PID
Process
Filename
Type
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xmlbinary
MD5:F9ED76FC62635C464DD9CEE1A0C86CE1
SHA256:D29F204F8B3BD80582116EC15DB4F13B21E9D743E6E14ACCD09F858C95DFA19A
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Mozilla Firefox\updater.inibinary
MD5:6A1C83F520D6D341D1C5C9DEDB4DE5A7
SHA256:D93B61E31FAF49E406589D159D2F9B24128079FE58683A2A5B64290A6C67C26E
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Mozilla Firefox\application.inibinary
MD5:66C1AC42F414FE48C5F09D8FD50464A7
SHA256:8D20CC117E3FD885B811EEFE1EC06ED806F9312422207036E53EB15EBAF81BB6
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\desktop.inibinary
MD5:FE23466B72F913457FEA586065C5D1A1
SHA256:E7AFC5BA22FFAC1D2419ACCFAE77E1D7C660C907BA991D7E2B9E216C01EFEF88
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Mozilla Firefox\platform.inibinary
MD5:03A9A4AFF215C89DB1AB5E3DA16CA668
SHA256:BC90368E36CE02AFC22D95337349C4514B4AF6C93FD5F4836F2DED8034B41F21
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Notepad++\change.logbinary
MD5:96C41C2F0C3380ED9F4FB701B2004F35
SHA256:70CBEBBA62E79F68C581E259308530EBACB8C0A32E209BDE29FD976B1A810981
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Mozilla Firefox\install.logbinary
MD5:F90AE9548176579FF4C8FE1BC5775A41
SHA256:B52E11927A78FC1AEF3D539FD96E677BC0D3A48F43604B4EB52A19EC712BBF80
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Notepad++\functionList.xmlbinary
MD5:F35B5007A432C8F361C61A8E7621D645
SHA256:D7E00774DFE5719069B28C560B40850B8A57DD22B35F8C9300625B2EAE2ED149
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\FileZilla FTP Client\GPL.htmlbinary
MD5:CCD0ECAAC76A58945E01E3D16B4BB69C
SHA256:DEEAC9ECE7136B7686ADA126C30DAA834A0E609A1F287E0030909A0BEBDDA994
3780cxmxjh.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Notepad++\readme.txtbinary
MD5:D5895DE67BFD456929606B2C68B3430F
SHA256:CA641EF44A871F02D7C8DDC39A73E61597D52AE87261C1314C14F268C2980500
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info