File name:

e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367

Full analysis: https://app.any.run/tasks/a8a91132-9878-4660-acd1-8bc0b44fa245
Verdict: Malicious activity
Threats:

Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 21:13:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sality
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

FBCB39DD71B8BA62CDBE35E0BE021326

SHA1:

04425C093BF3A8B84E4610BA1880FBB2DE2B38FF

SHA256:

E4650E321E015588030694415B45CA7FAA8258149C630B811FA2E2BB80817367

SSDEEP:

98304:4jdXOzH1PQucxf9vQH2/Q2rLBRJtmeNSL3/KiB6iti+s6LZAUOZaKjK3:JOOKM481

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SALITY mutex has been found

      • e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe (PID: 6296)

  • SUSPICIOUS

    • Searches for installed software

      • e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe (PID: 6296)

    • Executable content was dropped or overwritten

      • e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe (PID: 6296)

  • INFO

    • Checks supported languages

      • e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe (PID: 6296)

    • Reads the computer name

      • e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe (PID: 6296)

    • Create files in a temporary directory

      • e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe (PID: 6296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

ProductVersion: 1,2,5,40626
ProductName: GoodZip-WIN助手
OriginalFileName: GDutilit.exe
LegalCopyright: Copyright (C)2024沧州句号网络科技有限公司
InternalName: GoodZip-WIN助手
FileDescription: GoodZip-WIN助手
CompanyName: 沧州句号网络科技有限公司
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 1.2.5.40626
FileVersionNumber: 1.2.5.40626
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1cb515
UninitializedDataSize: -
InitializedDataSize: 1205760
CodeSize: 2125824
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, 32-bit
TimeStamp: 2024:07:01 04:01:24+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SALITY e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe

Process information

PID
CMD
Path
Indicators
Parent process
6296"C:\Users\admin\Desktop\e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe" C:\Users\admin\Desktop\e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe
explorer.exe
User:
admin
Company:
沧州句号网络科技有限公司
Integrity Level:
MEDIUM
Description:
GoodZip-WIN助手
Exit code:
0
Modules
Images
c:\users\admin\desktop\e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
1 334
Read events
289
Write events
1 045
Delete events
0

Modification events

(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:GlobalUserOffline
Value:
0
(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:writeName:a1_0
Value:
(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:writeName:a2_0
Value:
7620
(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:writeName:a3_0
Value:
17001001
(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:writeName:a4_0
Value:
0
(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:writeName:a1_1
Value:
(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:writeName:a2_1
Value:
(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:writeName:a3_1
Value:
(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:writeName:a4_1
Value:
(PID) Process:(6296) e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeKey:HKEY_CURRENT_USER\SOFTWARE\Tvidl
Operation:writeName:a1_2
Value:
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6296e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367.exeC:\Users\admin\AppData\Local\Temp\winhhrk.exeexecutable
MD5:B360FA63134A63F9ACFE046D2DFE10D9
SHA256:03E0C6C4CA8A24F961477887763397045E67862E059F7494014AEFC21891D40E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1596
RUXIMICS.exe
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4328
svchost.exe
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1596
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4328
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4328
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1596
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.42:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.168.100.255:138
whitelisted
1596
RUXIMICS.exe
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4328
svchost.exe
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1596
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 92.123.104.42
  • 92.123.104.29
  • 92.123.104.37
  • 92.123.104.38
  • 92.123.104.35
  • 92.123.104.26
  • 92.123.104.34
  • 92.123.104.23
  • 92.123.104.32
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.166
  • 23.48.23.143
  • 23.48.23.156
  • 23.48.23.159
  • 23.48.23.173
  • 23.48.23.177
  • 23.48.23.147
  • 23.48.23.141
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.189.173.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
e4650e321e015588030694415b45ca7faa8258149c630b811fa2e2bb80817367