| File name: | ussf.exe |
| Full analysis: | https://app.any.run/tasks/b25e3c27-013f-4394-99c5-e5a99df0abf6 |
| Verdict: | Malicious activity |
| Analysis date: | October 23, 2023, 12:37:31 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | E9CFCBB1784EF5232C4E3143B231A826 |
| SHA1: | 3528C9C45F3E99FD5922B509E5A77313A7A0E33F |
| SHA256: | D9076BF31BCF4107B85D4BF368D752F6DEBE58F9CCE8B50F0A50FECE2243DA38 |
| SSDEEP: | 24576:WdmH36cY0IstVMSNL/Lb7I2eEHvKBll4CkI30RyTC8EsvEmbAf+:jX6x+VpNLjb9HvKvl4kEX8tvEmx |
MALICIOUS
Application was dropped or rewritten from another process
- 7z.exe (PID: 4008)
- unzip.exe (PID: 2612)
Drops the executable file immediately after the start
- ussf.exe (PID: 2460)
SUSPICIOUS
Starts CMD.EXE for commands execution
- ussf.exe (PID: 2460)
Drops 7-zip archiver for unpacking
- ussf.exe (PID: 2460)
INFO
Reads mouse settings
- ussf.exe (PID: 2460)
Checks supported languages
- ussf.exe (PID: 2460)
- PEiD.exe (PID: 2084)
- unzip.exe (PID: 2612)
- 7z.exe (PID: 4008)
Reads the computer name
- ussf.exe (PID: 2460)
Create files in a temporary directory
- ussf.exe (PID: 2460)
The executable file from the user directory is run by the CMD process
- 7z.exe (PID: 4008)
- unzip.exe (PID: 2612)
Reads the machine GUID from the registry
- ussf.exe (PID: 2460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (36.8) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (26.6) |
| .exe | | | Win64 Executable (generic) (23.6) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
EXIF
EXE
| CompiledScript: | AutoIt v3 Script : 3, 2, 12, 1 |
|---|---|
| FileVersion: | 3, 2, 12, 1 |
| FileDescription: | - |
| CharacterSet: | Unicode |
| LanguageCode: | English (British) |
| FileSubtype: | - |
| ObjectFileType: | Unknown |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x0017 |
| ProductVersionNumber: | 3.2.12.1 |
| FileVersionNumber: | 3.2.12.1 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 4 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0x54bbe |
| UninitializedDataSize: | - |
| InitializedDataSize: | 144896 |
| CodeSize: | 412672 |
| LinkerVersion: | 8 |
| PEType: | PE32 |
| ImageFileCharacteristics: | No relocs, Executable, Large address aware, 32-bit |
| TimeStamp: | 2008:06:12 08:50:53+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Total processes
43
Monitored processes
6
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2084 | C:\Users\admin\AppData\Local\Temp\PEiD.exe -hard "C:\Windows\Alcrmv.exe" | C:\Users\admin\AppData\Local\Temp\PEiD.exe | — | ussf.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 2460 | "C:\Users\admin\AppData\Local\Temp\ussf.exe" | C:\Users\admin\AppData\Local\Temp\ussf.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 3, 2, 12, 1 Modules
| |||||||||||||||
| 2612 | "C:\Users\admin\AppData\Local\Temp\unzip.exe" -l "C:\Windows\Alcrmv.exe" | C:\Users\admin\AppData\Local\Temp\unzip.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 9 Modules
| |||||||||||||||
| 2756 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\7z.exe" l "C:\Windows\Alcrmv.exe"" | C:\Windows\System32\cmd.exe | — | ussf.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3300 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\unzip.exe" -l "C:\Windows\Alcrmv.exe"" | C:\Windows\System32\cmd.exe | — | ussf.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 9 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 4008 | "C:\Users\admin\AppData\Local\Temp\7z.exe" l "C:\Windows\Alcrmv.exe" | C:\Users\admin\AppData\Local\Temp\7z.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
5 212
Read events
5 144
Write events
67
Delete events
1
Modification events
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 01000000000000000200000007000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 02000000010000000000000007000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_FolderType |
Value: {FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | |||
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_TopViewID |
Value: {82BA0782-5B7A-4569-B5D7-EC83085F08CC} | |||
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
| Operation: | write | Name: | TV_TopViewVersion |
Value: 0 | |||
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 01000000020000000000000007000000060000000C0000000B0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF | |||
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
| Operation: | write | Name: | Mode |
Value: 4 | |||
| (PID) Process: | (2460) ussf.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
| Operation: | write | Name: | LogicalViewMode |
Value: 1 | |||
Executable files
4
Suspicious files
2
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2460 | ussf.exe | C:\Users\admin\AppData\Local\Temp\autFF7C.tmp | executable | |
MD5:4F03D2E68DFFE132C4F839D7723B4AF9 | SHA256:380275CB0355B7DD50435AADD817F804FF3F10109CCB86F9E03A5450128ECCF1 | |||
| 2460 | ussf.exe | C:\Users\admin\AppData\Local\Temp\unzip.exe | executable | |
MD5:75375C22C72F1BEB76BEA39C22A1ED68 | SHA256:8D9B5190AACE52A1DB1AC73A65EE9999C329157C8E88F61A772433323D6B7A4A | |||
| 2460 | ussf.exe | C:\Users\admin\AppData\Local\Temp\aut2AA.tmp | binary | |
MD5:35AEF25EA13D9D5F61A0B5F5CACB3DDD | SHA256:CE7FC1929B0CD7C729FB3899E69728E00EE5CF785C65A8234AE2DD1666DE5FA3 | |||
| 2460 | ussf.exe | C:\Users\admin\AppData\Local\Temp\PEiD.exe | executable | |
MD5:4F03D2E68DFFE132C4F839D7723B4AF9 | SHA256:380275CB0355B7DD50435AADD817F804FF3F10109CCB86F9E03A5450128ECCF1 | |||
| 2460 | ussf.exe | C:\Users\admin\AppData\Local\Temp\7z.exe | executable | |
MD5:08F61F0B620E135C65CF91DCCC7185A9 | SHA256:CF6FA6E89126EBCF7F3AF923C2C802268ADB697BA704703CA8EA6E8EF8A84058 | |||
| 2460 | ussf.exe | C:\Users\admin\AppData\Local\Temp\aut23C.tmp | binary | |
MD5:A4FC966B276554F7CABD7C74605C9407 | SHA256:739A9490187C016D71B6AB7CA377D54D029DA88CAE608F755A2232F495FF283A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
5
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.google.com |
| whitelisted |
Threats
5 ETPRO signatures available at the full report