File name:

windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

Full analysis: https://app.any.run/tasks/8a9e38f7-6e06-4193-b29f-c4eaab87610e
Verdict: Malicious activity
Analysis date: January 31, 2024, 16:36:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

E425DC0D95FB7D967E94838AF1FFBA41

SHA1:

F24D8723F246145524B9030E4752C96430981211

SHA256:

FA2F1AC56BB81D236E797AFEA75CE4F4ECF374ED1182E7E2337350F387FD5EAC

SSDEEP:

49152:yyoNv31gx+Llukz2f71wCD+c2GSMQt052jFequv/vPjKakceBh:Q13g0ifmCD+c6tT5Zuv/vb8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe (PID: 392)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe (PID: 392)

    • Starts a Microsoft application from unusual location

      • windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe (PID: 1264)
      • windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe (PID: 392)

    • Executable content was dropped or overwritten

      • windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe (PID: 392)

    • Drops a system driver (possible attempt to evade defenses)

      • windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe (PID: 392)

  • INFO

    • Reads the computer name

      • windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe (PID: 392)

    • Checks supported languages

      • windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe (PID: 392)

    • Reads the machine GUID from the registry

      • windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe (PID: 392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | MS generic-sfx Cabinet File Unpacker (32/64bit MSCFU) (82.5)
.exe | Win32 Executable MS Visual C++ (generic) (7.3)
.exe | Win64 Executable (generic) (6.5)
.dll | Win32 Dynamic Link Library (generic) (1.5)
.exe | Win32 Executable (generic) (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:03:13 07:51:25+01:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, Removable run from swap, Net run from swap
PEType: PE32
LinkerVersion: 7.1
CodeSize: 35840
InitializedDataSize: 4096
UninitializedDataSize: -
EntryPoint: 0x6b23
OSVersion: 5.2
ImageVersion: 5.2
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 6.3.18.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Security Update
FileVersion: 1
InternalName: SFXCAB.EXE
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: SFXCAB.EXE
ProductName: Windows Server 2003/Windows XP x64 Family
ProductVersion: 6.3.0018.0
BuildDate: 2017/02/11
Appliesto: Windows Server 2003/Windows XP x64 Service Pack 2
InstallationType: Full
InstallerVersion: 6.3.4.1
InstallerEngine: update.exe
KBArticleNumber: 4012598
SupportLink: http://support.microsoft.com?kbid=4012598
PackageType: Security Update
ProcArchitecture: amd64
Self-ExtractorVersion: SFXCAB v6.3.18.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
392"C:\Users\admin\AppData\Local\Temp\windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe" C:\Users\admin\AppData\Local\Temp\windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Security Update
Exit code:
0
Version:
1
Modules
Images
c:\users\admin\appdata\local\temp\windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1264"C:\Users\admin\AppData\Local\Temp\windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe" C:\Users\admin\AppData\Local\Temp\windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Security Update
Exit code:
3221226540
Version:
1
Modules
Images
c:\users\admin\appdata\local\temp\windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe
c:\windows\system32\ntdll.dll
Total events
34
Read events
34
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\SP2QFE\w03a3409.dllexecutable
MD5:D7670F5E2B52376ED0B2927009355332
SHA256:043680203C4AA2E14C5FB1F838A87F1701A80C381E24AA6C48BC5C683A773DEC
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\spmsg.dllexecutable
MD5:05B99D814D583F3B0533222E0C7725FB
SHA256:2593FB11ADE55DFB5072262E51371AB4FAD96D3A8A5A7DCD6AC75C72464787C9
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\SP2QFE\wow\ww03a3409.dllexecutable
MD5:9DC90D0E86209BA28A547DADF5A40330
SHA256:177F8F731EE8D96A6EC469A5DA8F2BE1CF58B31078167F64DCFE4D3FFC351031
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\spuninst.exeexecutable
MD5:019D2771D6F6AB51D0DD888EFF240D21
SHA256:6349CC0D59D7C2D46865E94B6D0B225A1237269DCDBD0C6BAEEA671B003F1846
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\SP2QFE\srv.sysexecutable
MD5:6D88A49C6DA3AB5D5C2B083D42B5175D
SHA256:BF5511F66428220F9B67DCA2D37B8A3707793BA5C1C15A4A0C2E5D0B4BE81BA4
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\update\spcustom.dllexecutable
MD5:F56E6CD0A50E9B3049A636141E25A89B
SHA256:E7A770A3A905675F76D110FC1DEE8728BE8C1665EE3F89026FAFF7CF86B5C159
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\update\update_SP2QFE.inftext
MD5:99E691A205E907B02D2489C9CE3CF9EE
SHA256:C7DD31BC8D2D2FB64972C8BD50122A6C9DD4BA59750934C6A6D027F6EADE0707
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\update\branches.infbinary
MD5:299A3E4AD70AECF8B1865BA8E07DD10E
SHA256:367F755307FFBBAB5D0E887182151603381CE42E8FEEAE0F4D219D9597FF0082
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\update\update.exeexecutable
MD5:58D02F4B24E448E0ED8455F3D2AAD454
SHA256:2327927DF7D768FB4053439881B8C01EF5178B3B6636A66B5A5B77888AEF74BB
392windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exeC:\72ad07a4e64137da08956b\update\KB4012598.CATbinary
MD5:962CA4D5D403E98792ADF0711D74C5E7
SHA256:059159563E65FD2DB1CEFB66A2DD9F6BA9FF6B2CA1AE4D074418A16A1DCB692F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe