analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

baza.exe

Full analysis: https://app.any.run/tasks/0b1998c5-1884-4450-8931-00d616a251bf
Verdict: Malicious activity
Analysis date: November 30, 2020, 05:08:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

0D641712FCF69634A30F6906C8D6E41A

SHA1:

CAC704CA4C783D03A42E58C2ADFE6755BF30874E

SHA256:

F7F3FE0AAA41672B84F0B191A59D05FEA5EA78B03F44CB437FA7B44FFD72E8A5

SSDEEP:

768:USL1BSYwBW1VuN9DJV+YlQ8aruFXXJHr3MWDsjyegIlt0ITTiGy2rm:5a70krDJQcyyFBLMWregIlt0+F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2176)
      • cmd.exe (PID: 3472)
      • cmd.exe (PID: 2376)

    • Changes the autorun value in the registry

      • g7zB79A.exe (PID: 1720)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • baza.exe (PID: 1240)

    • Starts CMD.EXE for commands execution

      • baza.exe (PID: 1240)
      • g7zB79A.exe (PID: 1720)
      • baza.exe (PID: 2460)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x5b16
UninitializedDataSize: -
InitializedDataSize: 15872
CodeSize: 23552
LinkerVersion: 14
PEType: PE32
TimeStamp: 2020:06:26 16:15:39+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 26-Jun-2020 14:15:39

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 26-Jun-2020 14:15:39
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005A3E
0x00005C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.51728
.rdata
0x00007000
0x00002240
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.14993
.data
0x0000A000
0x00001482
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.reloc
0x0000C000
0x000002F0
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.41207

Imports

KERNEL32.dll
USER32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
10
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start baza.exe no specs cmd.exe no specs ping.exe no specs baza.exe cmd.exe no specs ping.exe no specs g7zb79a.exe cmd.exe no specs ping.exe no specs g7zb79a.exe

Process information

PID
CMD
Path
Indicators
Parent process
2460"C:\Users\admin\AppData\Local\Temp\baza.exe" C:\Users\admin\AppData\Local\Temp\baza.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2376cmd /c ping 8.8.8.8 -n 2 & C:\Users\admin\AppData\Local\Temp\baza.exe 0smzC:\Windows\system32\cmd.exebaza.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3424ping 8.8.8.8 -n 2 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1240C:\Users\admin\AppData\Local\Temp\baza.exe 0smzC:\Users\admin\AppData\Local\Temp\baza.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
2176cmd /c ping 8.8.8.8 -n 2 & C:\Users\admin\AppData\Local\Temp\g7zB79A.exe 0smaC:\Windows\system32\cmd.exebaza.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3064ping 8.8.8.8 -n 2 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1720C:\Users\admin\AppData\Local\Temp\g7zB79A.exe 0smaC:\Users\admin\AppData\Local\Temp\g7zB79A.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
3472cmd /c ping 8.8.8.8 -n 2 & C:\Users\admin\AppData\Local\Temp\g7zB79A.exe 0smbC:\Windows\system32\cmd.exeg7zB79A.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2224ping 8.8.8.8 -n 2 C:\Windows\system32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1556C:\Users\admin\AppData\Local\Temp\g7zB79A.exe 0smbC:\Users\admin\AppData\Local\Temp\g7zB79A.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Total events
58
Read events
48
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
104
Unknown types
0

Dropped files

PID
Process
Filename
Type
1240baza.exeC:\Temp\RLoader.logtext
MD5:112005040770FFA315F2BF07DBDCE107
SHA256:D086B9F947D4DA79CDDA5A9803F0F223001052537D8966FCAB04AF664E302F43
2460baza.exeC:\Temp\RLoader.logtext
MD5:2235B0ABF42E24B16FB683621D23FC14
SHA256:930FA75B65619D402370E4C5B7E4D8C82331A99E06C3BCF1737FEAABBDACC120
1720g7zB79A.exeC:\Temp\RLoader.logtext
MD5:D34F3253F948826B827232986BC8F59F
SHA256:6C021FCE893E0FEF809ECFAC677BF2DF734DC6EBF48DDF8E6A354BBA3B53A7FF
1240baza.exeC:\Users\admin\AppData\Local\Temp\g7zB79A.exeexecutable
MD5:0D641712FCF69634A30F6906C8D6E41A
SHA256:F7F3FE0AAA41672B84F0B191A59D05FEA5EA78B03F44CB437FA7B44FFD72E8A5
1556g7zB79A.exeC:\Temp\RLoader.logtext
MD5:F57E83B9C4C09A4562926CD5173BAA02
SHA256:4F511B213E0BE6F9E20AB7956E0CF32C0B88AAB15254BB60968401B3DFBCB16A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1556
g7zB79A.exe
85.204.116.149:443
RO
malicious
1556
g7zB79A.exe
107.173.114.117:443
ColoCrossing
US
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
baza.exe