| File name: | MC SERVER GUI 1.6.4.exe |
| Full analysis: | https://app.any.run/tasks/e0f03534-c483-4464-a9fc-7a39fae6c542 |
| Verdict: | Malicious activity |
| Analysis date: | November 25, 2023, 21:24:38 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 312BC8FB44162FDB15A752DBAF3C0DEA |
| SHA1: | B7E8813A63B6A1747E8255FF187666FC1349201F |
| SHA256: | E95A29225DD9671E484C279B80507C843010D21B6F1532F7D5220BB7A3BF7574 |
| SSDEEP: | 98304:yLsHZ5eyGx+MhfLNaB7Q3HwNLkyct0ZaUvxl0Tt/TlCg3n0GmffxLjS74Stp06O+:v5edRw/VweaMpkyjCBgpUV |
MALICIOUS
Drops the executable file immediately after the start
- MC SERVER GUI 1.6.4.exe (PID: 2232)
SUSPICIOUS
Drops 7-zip archiver for unpacking
- MC SERVER GUI 1.6.4.exe (PID: 2232)
Starts CMD.EXE for commands execution
- Server GUI.exe (PID: 2840)
INFO
Reads the computer name
- MC SERVER GUI 1.6.4.exe (PID: 2232)
Checks supported languages
- MC SERVER GUI 1.6.4.exe (PID: 2232)
- Server GUI.exe (PID: 2840)
- 7za.exe (PID: 2204)
- 7za.exe (PID: 3984)
- 7za.exe (PID: 2584)
Create files in a temporary directory
- MC SERVER GUI 1.6.4.exe (PID: 2232)
Creates files in the program directory
- MC SERVER GUI 1.6.4.exe (PID: 2232)
- cmd.exe (PID: 1072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (53.2) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (17.5) |
| .scr | | | Windows screen saver (16.1) |
| .exe | | | Win32 Executable (generic) (5.5) |
| .exe | | | Win16/32 Executable Delphi generic (2.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:20 00:22:17+02:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 94208 |
| InitializedDataSize: | 386048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x17de0 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.6.4.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | - |
| CompanyName: | CODEFISH |
| FileDescription: | MINICRAFT SERVER GUI 1.6.4 RUS 1.6.4 Installation |
| FileVersion: | 1.6.4 |
| LegalCopyright: | CODEFISH |
Total processes
213
Monitored processes
116
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | C:\Windows\system32\cmd.exe /c ""Netstat" "-e" >"C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\guinetwork.dat"" | C:\Windows\System32\cmd.exe | — | Server GUI.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 188 | "Netstat" "-e" | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 292 | "Netstat" "-e" | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 316 | C:\Windows\system32\cmd.exe /c ""Netstat" "-e" >"C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\guinetwork.dat"" | C:\Windows\System32\cmd.exe | — | Server GUI.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 448 | C:\Windows\system32\cmd.exe /c ""Netstat" "-e" >"C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\guinetwork.dat"" | C:\Windows\System32\cmd.exe | — | Server GUI.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 684 | "Netstat" "-e" | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 880 | "Netstat" "-e" | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 900 | C:\Windows\system32\cmd.exe /c ""Netstat" "-e" >"C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\guinetwork.dat"" | C:\Windows\System32\cmd.exe | — | Server GUI.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 952 | "Netstat" "-e" | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 968 | "Netstat" "-e" | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
7 801
Read events
7 746
Write events
55
Delete events
0
Modification events
| (PID) Process: | (2232) MC SERVER GUI 1.6.4.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 115 | |||
| (PID) Process: | (1936) NETSTAT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
| (PID) Process: | (2304) NETSTAT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
| (PID) Process: | (3208) NETSTAT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
| (PID) Process: | (1016) NETSTAT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
| (PID) Process: | (2548) NETSTAT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
| (PID) Process: | (880) NETSTAT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
| (PID) Process: | (3288) NETSTAT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
| (PID) Process: | (3384) NETSTAT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
| (PID) Process: | (3092) NETSTAT.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
Executable files
14
Suspicious files
17
Text files
112
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp | — | |
MD5:— | SHA256:— | |||
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Users\admin\AppData\Local\Temp\$inst\2.tmp | compressed | |
MD5:BB6737FB623B11A27B52F2F93123BC0C | SHA256:16F2E361E46862606922D59F8B68C7F6A5BF2C290DC084A25922A03C594541E7 | |||
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\plugins\AutoSave\config.properties | xml | |
MD5:0F5C5BEB39824236426FDF049AEC7952 | SHA256:5D80D6A174DAD63F31D2F72FF5CEDF4E29F1FAAD8B0A2105E64249FAAFAED6C5 | |||
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\plugins\dynmap\colorschemes\sk89q.txt | text | |
MD5:61D1E334B93A9555A052DC7FB8774C39 | SHA256:3504CED48CCF4AE2AD28A68B50DEDB5E64C8704E95BD08E0469B5A7F096806ED | |||
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\plugins\dynmap\colorschemes\flames.txt | text | |
MD5:28ABD358875C56C515C54BA52A973A3F | SHA256:B1753716334933DAE4BF0471C634CA4BBD9C9CFEADDB1C06C56A9596BA4FAAD0 | |||
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\plugins\dynmap\configuration.txt | text | |
MD5:9C0C14F6EFF214707030C950A6AE7A21 | SHA256:744F2AF1FA92B4AA986BCCBC45F40243B06E2427FEFADFA7D14B8A840F0BD4B9 | |||
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\plugins\dynmap\web\config.js | text | |
MD5:A2F8549E520EAD432937ADA07C72CD96 | SHA256:2C749BCD866422A958E98B9749A5C20BF88411343072DF7EA7ECA2E07E06C8B5 | |||
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Users\admin\AppData\Local\Temp\$inst\7.tmp | image | |
MD5:420AEE57B5E083D256D28E45EF887ADB | SHA256:1EFB1A8831F68B443A3E3A06599E914162DC1A9B1B8F9EBC8020B40B72BBFB80 | |||
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Program Files\CODEFISH\MINICRAFT SERVER GUI 1.6.4 RUS\lib\sqlite.jar | compressed | |
MD5:C60C1A720D27FCBC3C70F499571FB33F | SHA256:1E7FF80C80D08EBD83E6D1E6574A812693238D5BC7EF3F0C463895D90ED144D0 | |||
| 2232 | MC SERVER GUI 1.6.4.exe | C:\Users\admin\AppData\Local\Temp\$inst\4.tmp | image | |
MD5:A0F7B4EEDCF3F85D96039A3F34C8FD42 | SHA256:DD78CD2CDE6F34225470C3BD7627E70C5E78EBD69F9A776140B23905A122F8CC | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |