analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA

Full analysis: https://app.any.run/tasks/851f4af6-ea73-4235-ba3e-c22db9996e44
Verdict: Malicious activity
Analysis date: October 14, 2019, 15:43:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A12B895823F5E298E68273E4548359CF

SHA1:

7ADEDDA381916E59F53321EF9CB9D92585C1B317

SHA256:

F9C2183A5B5D1A7470F472E1F4DE2CCF132043D863FCDC57678DFB53E6E789B5

SSDEEP:

12288:3lJojnFwQDFpdyptXzW5uycHexzVb/xXFHaTWUxAVZxoBtqHcQuj2NgK:Xoj66sjYuy7xzJx0Tax1c0NgK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • sysprep.exe (PID: 1800)
      • svchost.exe (PID: 864)

    • Creates or modifies windows services

      • sysprep.exe (PID: 1800)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • wusa.exe (PID: 1536)
      • sysprep.exe (PID: 1800)

    • Executable content was dropped or overwritten

      • wusa.exe (PID: 1536)
      • 7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe (PID: 1888)
      • sysprep.exe (PID: 1800)

    • Removes files from Windows directory

      • wusa.exe (PID: 1536)
      • svchost.exe (PID: 864)

    • Starts CMD.EXE for commands execution

      • 7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe (PID: 1888)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:08:06 06:34:37+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 12288
InitializedDataSize: 864256
UninitializedDataSize: -
EntryPoint: 0x364a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 06-Aug-2016 04:34:37
Detected languages:
  • Chinese - PRC
CompanyName: -
FileDescription: COM MAIN
FileVersion: 5, 0, 0, 1
InternalName: COM MAIN
LegalCopyright: 2015
LegalTrademarks: -
OriginalFilename: COM.EXE
ProductName: COM MAIN
ProductVersion: 5, 0, 0, 1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x4550
Checksum: 0x0000
Initial IP value: 0x014C
Initial CS value: 0x0012
Overlay number: 0x57A5
OEM identifier: 0x00E0
OEM information: 0x010F
Address of NE header: 0x00000010

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 18
Time date stamp: 06-Aug-2016 04:34:37
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
f5cD
0x00001000
0x00002BB6
0x00003000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.70386
PAGEKDD
0x00004000
0x0000227A
0x00003000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.31707
.loikut
0x00007000
0x000CAE98
0x000CB000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.55885
.fwQO
0x000D2000
0x00004510
0x00005000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.96208
.GOMHWW
0x000D7000
0x00001000
0x00001000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.16839
.tc
0x000D8000
0x00001000
0x00001000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.16839
.aspack
0x000E0000
0x00001000
0x00001000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.16839
.bin
0x000DC000
0x00001000
0x00001000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.16839
/42
0x000DB000
0x00001000
0x00001000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.16839
UPX1
0x000DD000
0x00001000
0x00001000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.16839

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.31427
676
UNKNOWN
Chinese - PRC
RT_VERSION
2
2.4028
744
UNKNOWN
Chinese - PRC
RT_ICON
3
2.68898
296
UNKNOWN
Chinese - PRC
RT_ICON
6
2.6517
56
UNKNOWN
Chinese - PRC
RT_ACCELERATOR
7
5.07668
170
UNKNOWN
Chinese - PRC
RT_STRING
9
2.50165
138
UNKNOWN
Chinese - PRC
RT_STRING
100
3.26413
178
UNKNOWN
Chinese - PRC
RT_DIALOG
128
2.77177
30
UNKNOWN
Chinese - PRC
UNKNOWN
129
2.47702
34
UNKNOWN
Chinese - PRC
RT_GROUP_ICON
3585
1.43035
48
UNKNOWN
Chinese - PRC
RT_STRING

Imports

KERNEL32.dll
MFC42u.DLL
MSVCP60.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_rla.exe wusa.exe no specs wusa.exe sysprep.exe no specs sysprep.exe svchost.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1888"C:\Users\admin\AppData\Local\Temp\7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe" C:\Users\admin\AppData\Local\Temp\7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
COM MAIN
Exit code:
0
Version:
5, 0, 0, 1
788"C:\Windows\system32\wusa.exe" "C:\Users\admin\AppData\Local\Temp\ISUAC_MC_jgsajtnl.msu" /extract:C:\Windows\system32\sysprepC:\Windows\system32\wusa.exe7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update Standalone Installer
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1536"C:\Windows\system32\wusa.exe" "C:\Users\admin\AppData\Local\Temp\ISUAC_MC_jgsajtnl.msu" /extract:C:\Windows\system32\sysprepC:\Windows\system32\wusa.exe
7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Update Standalone Installer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2648"C:\Windows\system32\sysprep\sysprep.exe" C:\Users\admin\AppData\Local\Temp\ISUAC_DF_jgsajtnl.tmpC:\Windows\system32\sysprep\sysprep.exe7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System Preparation Tool
Exit code:
3221226540
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1800"C:\Windows\system32\sysprep\sysprep.exe" C:\Users\admin\AppData\Local\Temp\ISUAC_DF_jgsajtnl.tmpC:\Windows\system32\sysprep\sysprep.exe
7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
System Preparation Tool
Exit code:
4294967227
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
864C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2996"C:\Windows\System32\cmd.exe" /c del /q C:\Users\admin\AppData\Local\Temp\7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exeC:\Windows\System32\cmd.exe7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
94
Read events
76
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
3
Text files
4
Unknown types
3

Dropped files

PID
Process
Filename
Type
18887a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exeC:\Users\admin\AppData\Local\Temp\emcBA52.tmp
MD5:
SHA256:
18887a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exeC:\Users\admin\AppData\Local\Temp\emcBA53.tmp
MD5:
SHA256:
18887a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exeC:\Users\admin\AppData\Local\Temp\emcBA54.tmp
MD5:
SHA256:
18887a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exeC:\Users\admin\AppData\Local\Temp\emcBA55.tmp
MD5:
SHA256:
18887a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exeC:\Users\admin\AppData\Local\Temp\emcBA56.tmp
MD5:
SHA256:
1536wusa.exeC:\Windows\system32\sysprep\$dpx$.tmp\1b032b9dbc5e544a9d4a620dec856567.tmp
MD5:
SHA256:
1536wusa.exeC:\Windows\Logs\DPX\setuperr.log
MD5:
SHA256:
1800sysprep.exeC:\Windows\system32\sysprep\Panther\setuperr.log
MD5:
SHA256:
1800sysprep.exeC:\Windows\system32\RCoResX64.datexecutable
MD5:76ADA4A0F1BA9639E4AA049C76D6A444
SHA256:B01E5B5EA94A39EB3A80339987C68AE4CB8B90E68F9C794D01D6C3AC1FB8759F
18887a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exeC:\Users\admin\AppData\Local\Temp\ISUAC_MC_jgsajtnl.msucompressed
MD5:869CBCD6C21EA89812ED2F50C1D4E485
SHA256:8EF001A452A0AB64C3C676AB0C02A80AB9AAB2DCC12EA7784E8C9C2E6508C68A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
208.110.71.114:80
http://208.110.71.114:80/acfkaqfa.php?hdr_ctx=211_216
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
208.110.71.114:80
dns1-1.verifysign.org
WholeSale Internet, Inc.
US
malicious
208.110.71.114:53
dns1-1.verifysign.org
WholeSale Internet, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
dns1-1.verifysign.org
  • 208.110.71.114
malicious
dns.msftncsi.com
  • 131.107.255.255
shared
rp.gamepoer7.com
  • 208.110.71.114
malicious

Threats

No threats detected
Process
Message
7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe
InstallSetupUAC Begin
7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe
InstallSetupUAC Running
svchost.exe
Load SCD
7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA.exe
InstallSetupUAC End
svchost.exe
Thread LoadServer
svchost.exe
PACKET_TYPE_HTTP
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e_RLA