analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

pratnm.exe

Full analysis: https://app.any.run/tasks/755a5c46-2015-4f0d-b896-0c0110aef321
Verdict: Malicious activity
Analysis date: July 11, 2019, 19:22:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

31AD356C7B009571F219BE2ECBB9F633

SHA1:

8B46D79C69AAF4A25604A376A1C5580FD52E4077

SHA256:

F43675215A8F73680EE87FDBF3CDA2387491036DDD495AD159F9E9B6C39EC849

SSDEEP:

3072:LBRYOG3oaZUFpzjAX/pKcP9rHwbSB3yG0HIxVxcGt:LPyMFJAvEcP9rHekyG0oxVxcGt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • dwm.exe (PID: 2008)
      • taskeng.exe (PID: 1968)
      • explorer.exe (PID: 284)
      • windanr.exe (PID: 2312)
      • ctfmon.exe (PID: 328)

    • Runs injected code in another process

      • pratnm.exe (PID: 3196)

    • UAC/LUA settings modification

      • pratnm.exe (PID: 3196)

    • Changes Security Center notification settings

      • pratnm.exe (PID: 3196)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2002:02:10 14:15:37+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 512
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x1040
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-Feb-2002 13:15:37
Debug artifacts:
  • Embedded COFF debugging symbols

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0x4550
Initial SS value: 0x0000
Initial SP value: 0x014C
Checksum: 0x0001
Initial IP value: 0x7279
Initial CS value: 0x3C66
Overlay number: 0x726F
OEM identifier: 0x010B
OEM information: 0x0006
Address of NE header: 0x0000000C

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 1
Time date stamp: 10-Feb-2002 13:15:37
Pointer to Symbol Table: 0x726F4C5B
Number of symbols: 1564823652
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00013000
0x00012200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.98931

Imports

KERNEL32.dll
USER32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
inject inject inject inject start pratnm.exe no specs taskeng.exe dwm.exe explorer.exe ctfmon.exe windanr.exe

Process information

PID
CMD
Path
Indicators
Parent process
3196"C:\Users\admin\AppData\Local\Temp\pratnm.exe" C:\Users\admin\AppData\Local\Temp\pratnm.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
1968taskeng.exe {FA8A93EA-9DCA-4147-A6DE-E12E6DFDC0AF}C:\Windows\System32\taskeng.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Engine
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2008"C:\Windows\system32\Dwm.exe"C:\Windows\System32\dwm.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Desktop Window Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
284C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
328C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2312"windanr.exe"C:\Windows\system32\windanr.exe
qemu-ga.exe
User:
admin
Integrity Level:
MEDIUM
Total events
116
Read events
58
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3196pratnm.exeC:\Users\admin\AppData\Local\Temp\winyqhhyj.exe
MD5:
SHA256:
3196pratnm.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\system.inibinary
MD5:BCAFE17CFF48AF52C2A011F4CFCBFEA7
SHA256:E34925A4741C07026684236D7B999FA2538D7979DBABF516C8A734D24CA3D5E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
pratnm.exe