analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

DTCenSvc.exe

Full analysis: https://app.any.run/tasks/76edd9c8-892c-4f51-9579-fcb10b371039
Verdict: Malicious activity
Analysis date: October 14, 2019, 10:07:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

D79D0AA2F85DE575BD01941F35DE4464

SHA1:

CF688E07BBC7990EA370AE01BDE7F01A555D5C50

SHA256:

E613A29DC068317792D469819C45E914F2A9AFF348AB301933A04590D59925A5

SSDEEP:

6144:Aw+RnbPrUc4SAlsU7f8TLy8RcfzCoC6MVJGSjbILR:z+peSAOQ8Pxgz33ikR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • DTCenSvc.exe (PID: 4056)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DTCenSvc.exe (PID: 4056)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:03:29 10:41:59+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 28672
InitializedDataSize: 119808
UninitializedDataSize: 1024
EntryPoint: 0x3c60
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 29-Mar-2014 09:41:59
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 29-Mar-2014 09:41:59
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006FCF
0x00007000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.50039
.rdata
0x00008000
0x00001198
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.24353
.data
0x0000A000
0x0001AF9C
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.68549
.ndata
0x00025000
0x0000A000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0002F000
0x00003EC0
0x00004000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.90811

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.10394
533
UNKNOWN
English - United States
RT_MANIFEST
2
5.9993
3752
UNKNOWN
English - United States
RT_ICON
3
6.24459
2216
UNKNOWN
English - United States
RT_ICON
4
5.01502
1384
UNKNOWN
English - United States
RT_ICON
5
6.16057
1128
UNKNOWN
English - United States
RT_ICON
6
3.34146
744
UNKNOWN
English - United States
RT_ICON
7
3.04232
296
UNKNOWN
English - United States
RT_ICON
103
2.6691
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.68733
494
UNKNOWN
English - United States
RT_DIALOG
106
2.86626
228
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start dtcensvc.exe no specs dtcensvc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2456"C:\Users\admin\AppData\Local\Temp\DTCenSvc.exe" C:\Users\admin\AppData\Local\Temp\DTCenSvc.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
4056"C:\Users\admin\AppData\Local\Temp\DTCenSvc.exe" C:\Users\admin\AppData\Local\Temp\DTCenSvc.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Total events
372
Read events
354
Write events
18
Delete events
0

Modification events

(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(4056) DTCenSvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\DTCenSvc_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4056DTCenSvc.exeC:\Users\admin\AppData\Local\Temp\nsuACD5.tmp\INetC.dllexecutable
MD5:2B342079303895C50AF8040A91F30F71
SHA256:2D5D89025911E2E273F90F393624BE4819641DBEE1606DE792362E442E54612F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4056
DTCenSvc.exe
GET
106.75.135.138:80
http://union.hao3603.com/api/down
CN
malicious
4056
DTCenSvc.exe
GET
106.75.135.138:80
http://union.hao3603.com/api/down
CN
malicious
4056
DTCenSvc.exe
GET
106.75.135.138:80
http://union.hao3603.com/api/down
CN
malicious
4056
DTCenSvc.exe
GET
106.75.135.138:80
http://union.hao3603.com/api/down
CN
malicious
4056
DTCenSvc.exe
GET
106.75.135.138:80
http://union.hao3603.com/api/down
CN
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4056
DTCenSvc.exe
106.75.135.138:80
union.hao3603.com
CHINANET Guangdong province network
CN
malicious

DNS requests

Domain
IP
Reputation
union.hao3603.com
  • 106.75.135.138
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
4056
DTCenSvc.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
4056
DTCenSvc.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
4056
DTCenSvc.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
4056
DTCenSvc.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
4056
DTCenSvc.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
4056
DTCenSvc.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
4056
DTCenSvc.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
4056
DTCenSvc.exe
Potentially Bad Traffic
ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))
4056
DTCenSvc.exe
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
DTCenSvc.exe