| File name: | ec7a27269006088c499ef0110b857e01.exe |
| Full analysis: | https://app.any.run/tasks/88d6c05f-8eee-470b-85f8-9d113b0be767 |
| Verdict: | Malicious activity |
| Analysis date: | May 28, 2024, 22:25:21 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | EC7A27269006088C499EF0110B857E01 |
| SHA1: | B5CD0567B81F63DDDED7BF1F3E6BB0C324CDF82F |
| SHA256: | E3C32CDBED86C277FE0C1577E577BD2D2B3FEC2F91826E57B387CB96F48293C5 |
| SSDEEP: | 196608:Okgu/Kp7YgLlZ5tqHGvulhPtKsQO0g3x:UuCZjqHQ8RtKDFgh |
MALICIOUS
Drops the executable file immediately after the start
- ec7a27269006088c499ef0110b857e01.exe (PID: 3976)
Uses Task Scheduler to run other applications
- ec7a27269006088c499ef0110b857e01.exe (PID: 3976)
SUSPICIOUS
Process drops legitimate windows executable
- ec7a27269006088c499ef0110b857e01.exe (PID: 3976)
Executable content was dropped or overwritten
- ec7a27269006088c499ef0110b857e01.exe (PID: 3976)
Starts a Microsoft application from unusual location
- ec7a27269006088c499ef0110b857e01.exe (PID: 3976)
INFO
Checks supported languages
- ec7a27269006088c499ef0110b857e01.exe (PID: 3976)
Creates files or folders in the user directory
- ec7a27269006088c499ef0110b857e01.exe (PID: 3976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:05:03 14:18:15+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.29 |
| CodeSize: | 7168 |
| InitializedDataSize: | 7680 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x41062a |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 10.0.15063.0 |
| ProductVersionNumber: | 10.0.15063.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | TSTheme Server Module |
| FileVersion: | 10.0.15063.0 (WinBuild.160101.0800) |
| InternalName: | TSThemeS.exe |
| LegalCopyright: | © Microsoft Corporation. All rights reserved. |
| OriginalFileName: | TSThemeS.exe |
| ProductName: | Microsoft® Windows® Operating System |
| ProductVersion: | 10.0.15063.0 |
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3976 | "C:\Users\admin\AppData\Local\Temp\ec7a27269006088c499ef0110b857e01.exe" | C:\Users\admin\AppData\Local\Temp\ec7a27269006088c499ef0110b857e01.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TSTheme Server Module Exit code: 4294967295 Version: 10.0.15063.0 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3992 | /C /create /F /sc minute /mo 5 /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /tr "C:\Users\admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe" | C:\Windows\System32\schtasks.exe | — | ec7a27269006088c499ef0110b857e01.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4024 | /C /Query /XML /TN "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" | C:\Windows\System32\schtasks.exe | — | ec7a27269006088c499ef0110b857e01.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4056 | /C /create /F /tn "TSTheme Server Module{Q4F5H2C4V3-J6F4M7O4-A3E4F2Q1}" /XML "C:\Users\admin\AppData\Roaming\Microsoft\Windows\TSTheme\6745645343447557" | C:\Windows\System32\schtasks.exe | — | ec7a27269006088c499ef0110b857e01.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
159
Read events
159
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3976 | ec7a27269006088c499ef0110b857e01.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\TSTheme\6745645343447557 | xml | |
MD5:28501E33D567AB0950CEA4CD7E49A692 | SHA256:C6B5FC452F417F9EC664322B595F82F32EE6DCB4B552A5175C6817BC9D059F49 | |||
| 3976 | ec7a27269006088c499ef0110b857e01.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\TSTheme\TSTheme.exe | executable | |
MD5:EC7A27269006088C499EF0110B857E01 | SHA256:E3C32CDBED86C277FE0C1577E577BD2D2B3FEC2F91826E57B387CB96F48293C5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |