File name:

Service Pack 1.exe

Full analysis: https://app.any.run/tasks/4eef9a39-7b34-46c0-8d54-e171edf12b70
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: August 01, 2024, 13:39:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
darkcomet
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

361186D444EECBAAD4967A624708A889

SHA1:

0D5C486456F15EDBFA4EC999B096C5B258463F1B

SHA256:

E8E99E9DD23F72B1158B6E2B5262F818C235F9A9D3D0695533FDC2B2FE6A87B7

SSDEEP:

12288:X6/k564R2MsyHJGfN02XWDvQi4vGbN5Io1dxdffGslkqLznInK1:X6/l4R2MsypGj9GH3ffGWkmb1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Service Pack 1.exe (PID: 2260)

    • DARKCOMET has been detected (YARA)

      • Service Pack 1.exe (PID: 2260)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • Service Pack 1.exe (PID: 2260)

    • There is functionality for taking screenshot (YARA)

      • Service Pack 1.exe (PID: 2260)

    • Connects to unusual port

      • Service Pack 1.exe (PID: 2260)

  • INFO

    • Checks supported languages

      • Service Pack 1.exe (PID: 2260)
      • wmpnscfg.exe (PID: 1016)

    • Reads the computer name

      • Service Pack 1.exe (PID: 2260)
      • wmpnscfg.exe (PID: 1016)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (31.9)
.scr | Windows screen saver (29.4)
.dll | Win32 Dynamic Link Library (generic) (14.8)
.exe | Win32 Executable (generic) (10.1)
.exe | Win16/32 Executable Delphi generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:07 15:59:53+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 586752
InitializedDataSize: 118784
UninitializedDataSize: -
EntryPoint: 0x8f888
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Remote Service Application
CompanyName: Microsoft Corp.
FileDescription: Remote Service Application
FileVersion: 1, 0, 0, 1
InternalName: MSRSAAPP
LegalCopyright: Copyright (C) 1999
OriginalFileName: MSRSAAP.EXE
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT service pack 1.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1016"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2260"C:\Users\admin\AppData\Local\Temp\Service Pack 1.exe" C:\Users\admin\AppData\Local\Temp\Service Pack 1.exe
explorer.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\service pack 1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
381
Read events
381
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
14
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1060
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
whitelisted
1372
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
1372
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
1372
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1060
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
2260
Service Pack 1.exe
223.244.83.13:1604
Chinanet
CN
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Service Pack 1.exe