File name:

8.exe

Full analysis: https://app.any.run/tasks/7bd1c379-c66f-45f2-83d2-ff574dc896e3
Verdict: Malicious activity
Analysis date: March 04, 2022, 12:56:55
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

69BA88DE5E68683BED26E78693F03FB7

SHA1:

EAFD5FCCF9F3C67D68D4217BA9FBADD2DFE96948

SHA256:

FD860586369A9F082F023A05A34C4CF54B9B3A017B123E34FDC1AE138A919034

SSDEEP:

3072:QTpfE220vyTdHGM/pvANOhY97Aekz08wqxRFcaHxE:QtpimM/hMIY97ATz08bzrG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • raserver.exe (PID: 3112)

    • Actions looks like stealing of personal data

      • raserver.exe (PID: 3112)

    • Drops executable file immediately after starts

      • Explorer.EXE (PID: 3436)
      • DllHost.exe (PID: 996)

  • SUSPICIOUS

    • Reads the computer name

      • 8.exe (PID: 4512)
      • winyvg4cvfp.exe (PID: 4540)

    • Starts CMD.EXE for commands execution

      • raserver.exe (PID: 3112)

    • Checks supported languages

      • conhost.exe (PID: 2860)

    • Reads Environment values

      • raserver.exe (PID: 3112)

    • Executed via COM

      • DllHost.exe (PID: 996)

    • Executable content was dropped or overwritten

      • Explorer.EXE (PID: 3436)
      • DllHost.exe (PID: 996)

    • Creates files in the program directory

      • DllHost.exe (PID: 996)

    • Creates a directory in Program Files

      • DllHost.exe (PID: 996)

  • INFO

    • Reads the computer name

      • raserver.exe (PID: 3112)
      • DllHost.exe (PID: 996)
      • Firefox.exe (PID: 2720)

    • Manual execution by user

      • raserver.exe (PID: 3112)

    • Checks supported languages

      • cmd.exe (PID: 900)
      • raserver.exe (PID: 3112)
      • DllHost.exe (PID: 996)

    • Reads settings of System Certificates

      • raserver.exe (PID: 3112)

    • Reads the software policy settings

      • raserver.exe (PID: 3112)

    • Checks Windows Trust Settings

      • raserver.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1d450
UninitializedDataSize: -
InitializedDataSize: -
CodeSize: 162816
LinkerVersion: 10
PEType: PE32
TimeStamp: 2011:09:29 06:27:29+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 29-Sep-2011 04:27:29

DOS Header

Magic number: MZ
Bytes on last page of file: 0x5245
Pages in file: 0x00E8
Relocations: 0x0000
Size of header: 0x5800
Min extra paragraphs: 0xE883
Max extra paragraphs: 0x8B09
Initial SS value: 0x83C8
Initial SP value: 0x3CC0
Checksum: 0x008B
Initial IP value: 0xC103
Initial CS value: 0xC083
Overlay number: 0xFF08
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000B8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 1
Time date stamp: 29-Sep-2011 04:27:29
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00027B6C
0x00027C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.32503
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
97
Monitored processes
8
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start 8.exe no specs raserver.exe cmd.exe no specs conhost.exe no specs explorer.exe firefox.exe no specs Copy/Move/Rename/Delete/Link Object winyvg4cvfp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
900/c del "C:\Users\admin\Desktop\8.exe"C:\Windows\SysWOW64\cmd.exeraserver.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
996C:\WINDOWS\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\WINDOWS\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2720"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exeraserver.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
84.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\program files\mozilla firefox\mozglue.dll
2860\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1\??\C:\WINDOWS\system32\conhost.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\conhost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\conhostv2.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
3112"C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Remote Assistance COM Server
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\raserver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
3436C:\WINDOWS\Explorer.EXEC:\WINDOWS\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\oleaut32.dll
4512"C:\Users\admin\Desktop\8.exe" C:\Users\admin\Desktop\8.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
4540"C:\Program Files (x86)\Hdxj8y\winyvg4cvfp.exe"C:\Program Files (x86)\Hdxj8y\winyvg4cvfp.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\program files (x86)\hdxj8y\winyvg4cvfp.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
Total events
4 915
Read events
4 896
Write events
19
Delete events
0

Modification events

(PID) Process:(3436) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
000000000000000000000000000000000300010001000100110000000000000029000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D0000000D00000000000000430043006C00650061006E00650072002E006C006E006B000000190000000000000064006900660066006900630075006C00740069006E0073007400720075006D0065006E00740073002E00720074006600000016000000000000004100630072006F0062006100740020005200650061006400650072002000440043002E006C006E006B0000000C00000000000000460069007200650066006F0078002E006C006E006B000000120000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B000000150000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B0000000A000000000000004F0070006500720061002E006C006E006B000000130000000000000063006100740061006C006F0067006C0065006100640069006E0067002E0070006E00670000000E00000000000000660069006C00650073006200690061006E002E007200740066000000130000000000000069006E007300690064006500720065006700690073007400650072002E0072007400660000000E000000000000006E006F00740065006D006500740061006C002E0072007400660000001100000000000000700061007400690065006E007400730068006500610072002E0070006E00670000000D00000000000000730075007000650072006C006F0067002E006A007000670000001200000000000000740065006100630068006500720063006F00750070006C0065002E007200740066000000120000000000000077006F006D0061006E00720065006C006500760061006E0074002E006A00700067000000060000000000000038002E006500780065000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001100000000000000000000000000000000000000803F000000400800000000000000004002000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F00000000000000803F01000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000080401000
(PID) Process:(3436) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
9B0C226200000000
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3112) raserver.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3112) raserver.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\61\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
2
Suspicious files
10
Text files
26
Unknown types
9

Dropped files

PID
Process
Filename
Type
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:
SHA256:
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:
SHA256:
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:
SHA256:
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7A2566B0F62A979AF1A98E46C5B275CFbinary
MD5:
SHA256:
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7A2566B0F62A979AF1A98E46C5B275CFder
MD5:
SHA256:
3112raserver.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1SUK09Q\euv4[1].htmhtml
MD5:
SHA256:
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:
SHA256:
3112raserver.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\G91AFSNL\euv4[1].htmhtml
MD5:
SHA256:
3112raserver.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:
SHA256:
3112raserver.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\0R23F2I3\euv4[1].htmhtml
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
94
TCP/UDP connections
101
DNS requests
149
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3112
raserver.exe
GET
302
164.155.212.158:80
http://www.turkcuyuz.com/euv4/?rtxXt=3OQtiNXh+wtFz8SCz/eMPGMDt0zVl+r60W+m0NU9E763oXZXwvDQkSXGmk8=&3flpdZ=XN9pmdeXgT4P5p0p
ZA
malicious
3112
raserver.exe
GET
301
167.86.90.254:80
http://www.alifdanismanlik.com/euv4/?rtxXt=TRVfPiqkTC84tdYg/KiHpdfMWo5oXu88iiOypom329GZBOB1ixIt/ccz2Tw=&3flpdZ=XN9pmdeXgT4P5p0p
US
malicious
3112
raserver.exe
GET
200
104.18.30.182:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQDl%2BKawXnSxln5J5gCs%2Byta
US
der
472 b
whitelisted
3112
raserver.exe
GET
404
3.33.152.147:80
http://www.nathanmartinez.digital/euv4/?rtxXt=mGXTyzJialrGJ6ePw2OLDmnY/3pKgDV4z5J4hNo/NMrjj/f7OqxMvsPq+Zk=&3flpdZ=XN9pmdeXgT4P5p0p
US
html
48 b
malicious
3112
raserver.exe
GET
200
104.18.31.182:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3112
raserver.exe
GET
200
3.223.162.31:80
http://www.teamidc.com/euv4/?rtxXt=hsP8jj2A4+3bkioolzk9x22j/b9mKfqd/wTwKW7IEmrhPiD8gI7OcIa2j1U=&3flpdZ=XN9pmdeXgT4P5p0p
US
html
5.19 Kb
malicious
3112
raserver.exe
GET
200
104.18.30.182:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
3112
raserver.exe
GET
404
52.20.218.92:80
http://www.1207rossmoyne.com/euv4/?rtxXt=TT1JpN8L+7jajMh2m+yzKcbRRK1qHB2HVZAqXaTI7ZSCN6N8dyHZSsJ8Vek=&3flpdZ=XN9pmdeXgT4P5p0p
US
text
55 b
malicious
3112
raserver.exe
GET
404
167.86.90.254:80
http://alifdanismanlik.com/euv4/?rtxXt=TRVfPiqkTC84tdYg/KiHpdfMWo5oXu88iiOypom329GZBOB1ixIt/ccz2Tw=&3flpdZ=XN9pmdeXgT4P5p0p
US
html
175 Kb
malicious
3112
raserver.exe
GET
403
103.120.80.144:8181
http://www.77777.store:8181/euv4/?rtxXt=sV2k1WKFW/h3tnt1SxvAMNLfS+Ge3XGMDmXR9Q72EWiP35CH9Wik44u4CjM=&Zjh=VXRlp0oP5
unknown
html
23 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3112
raserver.exe
3.33.152.147:80
www.nathanmartinez.digital
US
malicious
3112
raserver.exe
164.155.212.158:80
www.turkcuyuz.com
IS
ZA
malicious
3112
raserver.exe
162.0.232.72:80
www.jasabacklinkweb20.com
AirComPlus Inc.
CA
malicious
3112
raserver.exe
162.0.232.72:443
www.jasabacklinkweb20.com
AirComPlus Inc.
CA
malicious
3112
raserver.exe
104.18.30.182:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
3112
raserver.exe
206.188.193.217:80
www.launchclik.com
Defense.Net, Inc
US
malicious
3112
raserver.exe
52.20.218.92:80
www.1207rossmoyne.com
Amazon.com, Inc.
US
malicious
3112
raserver.exe
167.86.90.254:80
www.alifdanismanlik.com
Arapahoe School District #6
US
malicious
3112
raserver.exe
3.223.162.31:80
www.teamidc.com
US
malicious
3112
raserver.exe
103.120.80.144:80
www.77777.store
malicious

DNS requests

Domain
IP
Reputation
www.nathanmartinez.digital
  • 15.197.142.173
  • 3.33.152.147
malicious
www.turkcuyuz.com
  • 164.155.212.158
malicious
www.jasabacklinkweb20.com
  • 162.0.232.72
malicious
ocsp.comodoca.com
  • 104.18.30.182
  • 104.18.31.182
whitelisted
ocsp.usertrust.com
  • 104.18.31.182
  • 104.18.30.182
whitelisted
ocsp.sectigo.com
  • 104.18.30.182
  • 104.18.31.182
whitelisted
www.thecuratedpour.com
  • 74.220.199.6
malicious
www.rematedeldia.com
  • 23.227.38.74
malicious
rematedeldia.com
  • 23.227.38.32
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3112
raserver.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info