| File name: | Trojan.Asprox.exe |
| Full analysis: | https://app.any.run/tasks/07a82b95-3112-4a94-87ac-bdeca42a4581 |
| Verdict: | Malicious activity |
| Analysis date: | January 15, 2022, 00:47:50 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5: | D062D420E2AC73B0211AFE30063807FA |
| SHA1: | C3BA72FB3F48BD3B4A5FE8B04E3F8B8398E624C1 |
| SHA256: | F1B8A10F27CC597281BDD423FD7E9829ECBF036EBE6E7E00D054C55F01454BD8 |
| SSDEEP: | 1536:eTFOnhmTIgT+jv+d6tS5s8li+C89pjIk7xpPnXv0HX0cFNFXf3FBsThnzUsHR3ej:eBTdPj22FLnIS/0HEQFIn5HRg/J |
MALICIOUS
Drops executable file immediately after starts
- svchost.exe (PID: 628)
Uses SVCHOST.EXE for hidden code execution
- Trojan.Asprox.exe (PID: 1256)
SUSPICIOUS
Checks supported languages
- Trojan.Asprox.exe (PID: 1256)
Reads the date of Windows installation
- svchost.exe (PID: 628)
Executable content was dropped or overwritten
- svchost.exe (PID: 628)
INFO
Reads the computer name
- svchost.exe (PID: 628)
Checks supported languages
- svchost.exe (PID: 628)
- NOTEPAD.EXE (PID: 964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (39.3) |
|---|---|---|
| .exe | | | Win32 EXE Yoda's Crypter (38.6) |
| .dll | | | Win32 Dynamic Link Library (generic) (9.5) |
| .exe | | | Win32 Executable (generic) (6.5) |
| .exe | | | Generic Win/DOS Executable (2.9) |
EXIF
EXE
| Subsystem: | Windows GUI |
|---|---|
| SubsystemVersion: | 5 |
| ImageVersion: | - |
| OSVersion: | 5 |
| EntryPoint: | 0x2b090 |
| UninitializedDataSize: | 86016 |
| InitializedDataSize: | 8192 |
| CodeSize: | 90112 |
| LinkerVersion: | 9 |
| PEType: | PE32 |
| TimeStamp: | 2013:12:26 22:47:41+01:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 26-Dec-2013 21:47:41 |
| Detected languages: |
|
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000E0 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 3 |
| Time date stamp: | 26-Dec-2013 21:47:41 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00015000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x00016000 | 0x00016000 | 0x00015400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.94441 |
.rsrc | 0x0002C000 | 0x00002000 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.3031 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.03007 | 652 | UNKNOWN | English - United States | RT_MANIFEST |
Imports
KERNEL32.DLL |
msi.dll |
ole32.dll |
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 628 | svchost.exe | C:\Windows\system32\svchost.exe | Trojan.Asprox.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 964 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\Trojan.Asprox.txt | C:\Windows\system32\NOTEPAD.EXE | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1256 | "C:\Users\admin\AppData\Local\Temp\Trojan.Asprox.exe" | C:\Users\admin\AppData\Local\Temp\Trojan.Asprox.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
934
Read events
934
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 628 | svchost.exe | C:\Users\admin\AppData\Local\Temp\Trojan.Asprox.txt | binary | |
MD5:43382E1F053304855E9320C71ED3B6CD | SHA256:8D4DC3ADB1C650CBCD8D6BCA245083BE6B4949DC74C19B5630391CAF44BD0D5D | |||
| 628 | svchost.exe | C:\Users\admin\AppData\Local\fdjfetts.exe | executable | |
MD5:D062D420E2AC73B0211AFE30063807FA | SHA256:F1B8A10F27CC597281BDD423FD7E9829ECBF036EBE6E7E00D054C55F01454BD8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report